Atadiusti Posted May 4, 2012 ID:548781 Share Posted May 4, 2012 On Friday the 27th, I obtained a NetGear router that would allow me regular use of the internet which I had not had access to for a year or so (For the past half year I'd had times where I could borrow use of the internet by switching the ethernet cable connected to the basic hub for a few hours on some weekdays). Yay!Except after set up was complete, Internet explorer started opening unbidden (I use chrome); The sounds of adverts began playing from no discernible source, even when all browsers were closed; When I tried searching on my browser of choice, I got strange redirects, including to a site called happili. I ran a full scan of MWB, and found a huge mess of malware. Since the initial removal and restart, the redirects and phantom ads continue, along with infrequent pop-up tabs.It seems that there are three files of malware that the removal software detects but consistently fails to remove, including certstore.dat, after 8 failed attempts. I even temporarily deactivated system restore, to see if that could fix the problem. I also tried to delete the detected files manually from my System32 folder. No such luck though, as I couldn't find them.I run Windows 7 (x32)I am currently running another full scan of which I will soon furnish this topic of the log so that I may get better assistance, Link to post Share on other sites More sharing options...
Elise Posted May 5, 2012 ID:548910 Share Posted May 5, 2012 Hello and We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pif[*]Double click on the DDS icon, allow it to run.[*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.[*]Notepad will open with the results.[*]Follow the instructions that pop up for posting the results.[*]Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE Link to post Share on other sites More sharing options...
Atadiusti Posted May 5, 2012 Author ID:548966 Share Posted May 5, 2012 .DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_31Run by Joe at 8:47:48 on 2012-05-05.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\nvvsvc.exeC:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exeC:\Program Files\NVIDIA Corporation\Display\nvxdsync.exeC:\Windows\system32\nvvsvc.exeC:\Windows\System32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exec:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Nexon\Mabinogi\npkcmsvc.exeC:\Windows\system32\PnkBstrA.exeC:\Program Files\VERIZONDM\bin\sprtsvc.exeC:\Windows\System32\PAStiSvc.exeC:\Windows\system32\Wacom_Tablet.exeC:\Program Files\VERIZONDM\bin\tgsrvc.exeC:\Program Files\Viewpoint\Common\ViewpointService.exec:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Program Files\Spybot - Search & Destroy\SDWinSec.exec:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Aeria Games\Ignite\aeriaignite.exeC:\Users\Joe\AppData\Local\Akamai\netsession_win.exeC:\Windows\system32\taskeng.exeC:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEC:\Users\Joe\AppData\Local\Akamai\netsession_win.exeC:\Program Files\OpenOffice.org 2.3\program\soffice.exeC:\Windows\system32\WTablet\Wacom_TabletUser.exeC:\Program Files\OpenOffice.org 2.3\program\soffice.BINC:\Windows\system32\Wacom_Tablet.exeC:\Program Files\NVIDIA Corporation\Display\nvtray.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\Windows\system32\rundll32.exeC:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exeC:\ProgramData\Ql4JYIqF.exeC:\Program Files\BitTorrentBar\BitTorrentBarToolbarHelper1.exeC:\Program Files\BitTorrentBar\BitTorrentBarToolbarHelper1.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\ProgramData\Ql4JYIqF.exeC:\ProgramData\Ql4JYIqF.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\ProgramData\Ql4JYIqF.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Users\Joe\Downloads\dds.scrC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\conhost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe -k AkamaiC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k hpdevmgmtC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k LocalServicePeerNet.============== Pseudo HJT Report ===============.uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2790392mDefault_Page_URL = hxxp://www.yahoo.commDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.commSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmlmSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.commStart Page = hxxp://www.yahoo.comuInternet Settings,ProxyOverride = <local>;127.0.0.1:9421;uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dlluURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn1\YTNavAssist.dllmURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dllmURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dllmURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn1\YTNavAssist.dllBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dllBHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dllBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dllBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dllBHO: Digsby Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dllTB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dllTB: Digsby Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dllTB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dlluRun: [Google Update] "c:\users\joe\appdata\local\google\update\GoogleUpdate.exe" /cuRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /backgrounduRun: [Akamai NetSession Interface] "c:\users\joe\appdata\local\akamai\netsession_win.exe"mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -smRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exemRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exemRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptmRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Aeria Ignite] "c:\program files\aeria games\ignite\aeriaignite.exe" silentdRunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /fdRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_2_202_233_ActiveX.exe -update activexmPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dllIE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dllIE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLLIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllLSP: mswsock.dllDPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabTCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1TCP: Interfaces\{44F3AB13-1297-40C7-8E68-E203D7354F59} : DhcpNameServer = 192.168.1.1TCP: Interfaces\{632B37AB-1325-4084-B62A-3289036BB088} : DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllSEH: {3711EEB0-1851-42C2-9ABD-C29470A5035C} - No FileHosts: 127.0.0.1 www.spywareinfo.com.================= FIREFOX ===================.FF - ProfilePath - c:\users\joe\appdata\roaming\mozilla\firefox\profiles\j83zomwi.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13FF - prefs.js: network.proxy.http - 127.0.0.1FF - prefs.js: network.proxy.http_port - 59374FF - prefs.js: network.proxy.type - 0FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dllFF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\j83zomwi.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dllFF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\j83zomwi.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dllFF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\j83zomwi.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dllFF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dllFF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dllFF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dllFF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dllFF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dllFF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dllFF - plugin: c:\users\joe\appdata\local\google\update\1.3.21.69\npGoogleUpdate3.dllFF - plugin: c:\users\joe\appdata\locallow\unity\webplayer\loader\npUnity3D32.dllFF - plugin: c:\windows\system32\npOGPPlugin.dllFF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtensionFF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.comFF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}.---- FIREFOX POLICIES ----FF - user.js: yahoo.ytff.general.dontshowhpoffer - true============= SERVICES / DRIVERS ===============.R? AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update ServiceR? apf001;apf001R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0R? bwnd;bwndR? DNIMp50;DNIMp50 NDIS Protocol DriverR? DNISp50;DNISp50 NDIS Protocol DriverR? EagleXNt;EagleXNtR? ncvet.dll;ncvet.dllR? NEC Usb3;NEC USB3 ServiceR? npggsvc;nProtect GameGuard ServiceR? PAC7311;Trust Webcam 14839R? VST_DPV;VST_DPVR? VSTHWBS2;VSTHWBS2R? WatAdminSvc;Windows Activation Technologies ServiceR? WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card ServiceR? XDva285;XDva285R? XDva349;XDva349S? Akamai;Akamai NetSession InterfaceS? Ext2fs;Ext2fsS? IfsMount;IfsMountS? MBAMSwissArmy;MBAMSwissArmyS? NVHDA;Service for NVIDIA High Definition Audio DriverS? nvUpdatusService;NVIDIA Update Service DaemonS? SBSDWSCService;SBSD Security Center ServiceS? sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm)S? Stereo Service;NVIDIA Stereoscopic 3D Driver ServiceS? TabletServiceWacom;TabletServiceWacomS? tgsrvc_verizondm;SupportSoft Repair Service (verizondm)S? usbfilter;AMD USB Filter DriverS? Viewpoint Manager Service;Viewpoint Manager Service.=============== Created Last 30 ================.2012-05-04 16:02:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2012-05-04 04:59:53 12920 ----a-w- c:\windows\system32\apl001.sys2012-05-04 04:59:53 10872 ----a-w- c:\windows\system32\apf001.sys2012-04-29 23:10:31 -------- d-----w- c:\program files\Atlus Online2012-04-29 22:49:16 -------- d-----w- c:\users\joe\appdata\local\PMB Files2012-04-29 22:49:15 -------- d-----w- c:\programdata\PMB Files2012-04-29 22:00:49 -------- d-----w- c:\users\joe\appdata\local\Aeria Games2012-04-29 22:00:08 -------- d-----w- c:\programdata\Aeria Games2012-04-29 21:07:04 -------- d-sh--w- c:\windows\system32\AI_RecycleBin2012-04-29 21:06:53 -------- d-----w- c:\program files\Aeria Games2012-04-28 01:41:59 -------- d-----w- C:\e2012-04-28 01:32:44 88064 ----a-w- c:\programdata\Ql4JYIqF.exe2012-04-27 16:22:31 57344 ----a-w- c:\windows\system32\FastUv32.dll2012-04-27 12:37:34 -------- d-----w- C:\Data2012-04-27 12:22:40 88064 ----a-w- c:\programdata\E027A1A4.exe2012-04-27 11:52:47 -------- d-----w- c:\program files\Cisco Systems2012-04-27 11:46:15 -------- d-----w- c:\programdata\Cisco Systems2012-04-25 20:11:15 -------- d-----w- c:\program files\THQ2012-04-25 13:56:08 0 --sha-w- c:\windows\system32\dds_trash_log.cmd2012-04-25 13:55:57 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe2012-04-23 14:23:48 2515790 ----a-w- c:\windows\system32\nvcoproc.bin2012-04-23 13:16:54 -------- d-----w- c:\programdata\Battle.net2012-04-18 21:03:39 -------- d-----w- c:\program files\Wild Tangent2012-04-06 15:22:18 -------- d-----w- c:\users\joe\appdata\roaming\calibre2012-04-06 15:22:06 -------- d-----w- c:\program files\Calibre2.==================== Find3M ====================.2012-05-04 20:16:02 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys2012-04-01 14:56:21 249856 ------w- c:\windows\Setup1.exe2012-04-01 14:56:20 73216 ----a-w- c:\windows\ST6UNST.EXE2012-03-23 14:46:21 472808 ----a-w- c:\windows\system32\deployJava1.dll2012-03-09 23:27:17 94208 ----a-w- c:\windows\DIIUnin.exe2012-03-09 23:27:17 2829 ----a-w- c:\windows\DIIUnin.pif2012-02-29 20:56:41 3881792 ----a-w- c:\windows\system32\nvcpl.dll2012-02-29 20:55:16 2719040 ----a-w- c:\windows\system32\nvsvc.dll2012-02-29 20:53:47 108352 ----a-w- c:\windows\system32\nvmctray.dll2012-02-29 20:53:46 645440 ----a-w- c:\windows\system32\nvvsvc.exe2012-02-29 20:53:46 62272 ----a-w- c:\windows\system32\nvshext.dll2012-02-29 17:26:56 416064 ----a-w- c:\windows\system32\nvStreaming.exe.============= FINISH: 8:52:07.43 =============== Link to post Share on other sites More sharing options...
Elise Posted May 5, 2012 ID:548969 Share Posted May 5, 2012 Unfortunately you have a nasty rootkit infection. Please read the following information first.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.P2P WARNING-------------------Going over your logs I noticed that you have BitTorrent installed. Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.It is pretty much certain that if you continue to use P2P programs, you will get infected again.I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.If you wish to keep it, please do not use it until your computer is cleaned.COMBOFIX---------------Please download ComboFix from one of these locations:BleepingcomputerForoSpywareDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Combofix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 10, 2012 ID:559150 Share Posted June 10, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts