Jump to content

Malware that just won't go away

Recommended Posts

On Friday the 27th, I obtained a NetGear router that would allow me regular use of the internet which I had not had access to for a year or so (For the past half year I'd had times where I could borrow use of the internet by switching the ethernet cable connected to the basic hub for a few hours on some weekdays). Yay!

Except after set up was complete, Internet explorer started opening unbidden (I use chrome); The sounds of adverts began playing from no discernible source, even when all browsers were closed; When I tried searching on my browser of choice, I got strange redirects, including to a site called happili. I ran a full scan of MWB, and found a huge mess of malware. Since the initial removal and restart, the redirects and phantom ads continue, along with infrequent pop-up tabs.

It seems that there are three files of malware that the removal software detects but consistently fails to remove, including certstore.dat, after 8 failed attempts. I even temporarily deactivated system restore, to see if that could fix the problem. I also tried to delete the detected files manually from my System32 folder. No such luck though, as I couldn't find them.

I run Windows 7 (x32)

I am currently running another full scan of which I will soon furnish this topic of the log so that I may get better assistance,

Link to post
Share on other sites

Hello and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_31

Run by Joe at 8:47:48 on 2012-05-05


============== Running Processes ===============





C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe



C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe



C:\Program Files\VERIZONDM\bin\sprtsvc.exe



C:\Program Files\VERIZONDM\bin\tgsrvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe





C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Aeria Games\Ignite\aeriaignite.exe



C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE


C:\Program Files\OpenOffice.org 2.3\program\soffice.exe


C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN


C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe


C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe













C:\Program Files\BitTorrentBar\BitTorrentBarToolbarHelper1.exe

C:\Program Files\BitTorrentBar\BitTorrentBarToolbarHelper1.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE








C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE


C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE


C:\Program Files\Internet Explorer\IEXPLORE.EXE


C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k Akamai

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k LocalServicePeerNet


============== Pseudo HJT Report ===============


uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2790392

mDefault_Page_URL = hxxp://www.yahoo.com

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

mStart Page = hxxp://www.yahoo.com

uInternet Settings,ProxyOverride = <local>;;

uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll

uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn1\YTNavAssist.dll

mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll

mURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn1\YTNavAssist.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Digsby Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

TB: Digsby Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll

uRun: [Google Update] "c:\users\joe\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [Akamai NetSession Interface] "c:\users\joe\appdata\local\akamai\netsession_win.exe"

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe

mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Aeria Ignite] "c:\program files\aeria games\ignite\aeriaignite.exe" silent

dRunOnce: [DeleteEngineAfterUpdate] reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine /f

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_2_202_233_ActiveX.exe -update activex

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: mswsock.dll

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: DhcpNameServer =

TCP: Interfaces\{44F3AB13-1297-40C7-8E68-E203D7354F59} : DhcpNameServer =

TCP: Interfaces\{632B37AB-1325-4084-B62A-3289036BB088} : DhcpNameServer =

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

SEH: {3711EEB0-1851-42C2-9ABD-C29470A5035C} - No File

Hosts: www.spywareinfo.com


================= FIREFOX ===================


FF - ProfilePath - c:\users\joe\appdata\roaming\mozilla\firefox\profiles\j83zomwi.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13

FF - prefs.js: network.proxy.http -

FF - prefs.js: network.proxy.http_port - 59374

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll

FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\j83zomwi.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll

FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\j83zomwi.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll

FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\j83zomwi.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\users\joe\appdata\local\google\update\\npGoogleUpdate3.dll

FF - plugin: c:\users\joe\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\windows\system32\npOGPPlugin.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}



FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============


R? AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service

R? apf001;apf001

R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0

R? bwnd;bwnd

R? DNIMp50;DNIMp50 NDIS Protocol Driver

R? DNISp50;DNISp50 NDIS Protocol Driver

R? EagleXNt;EagleXNt

R? ncvet.dll;ncvet.dll

R? NEC Usb3;NEC USB3 Service

R? npggsvc;nProtect GameGuard Service

R? PAC7311;Trust Webcam 14839



R? WatAdminSvc;Windows Activation Technologies Service

R? WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service

R? XDva285;XDva285

R? XDva349;XDva349

S? Akamai;Akamai NetSession Interface

S? Ext2fs;Ext2fs

S? IfsMount;IfsMount

S? MBAMSwissArmy;MBAMSwissArmy

S? NVHDA;Service for NVIDIA High Definition Audio Driver

S? nvUpdatusService;NVIDIA Update Service Daemon

S? SBSDWSCService;SBSD Security Center Service

S? sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm)

S? Stereo Service;NVIDIA Stereoscopic 3D Driver Service

S? TabletServiceWacom;TabletServiceWacom

S? tgsrvc_verizondm;SupportSoft Repair Service (verizondm)

S? usbfilter;AMD USB Filter Driver

S? Viewpoint Manager Service;Viewpoint Manager Service


=============== Created Last 30 ================


2012-05-04 16:02:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-05-04 04:59:53 12920 ----a-w- c:\windows\system32\apl001.sys

2012-05-04 04:59:53 10872 ----a-w- c:\windows\system32\apf001.sys

2012-04-29 23:10:31 -------- d-----w- c:\program files\Atlus Online

2012-04-29 22:49:16 -------- d-----w- c:\users\joe\appdata\local\PMB Files

2012-04-29 22:49:15 -------- d-----w- c:\programdata\PMB Files

2012-04-29 22:00:49 -------- d-----w- c:\users\joe\appdata\local\Aeria Games

2012-04-29 22:00:08 -------- d-----w- c:\programdata\Aeria Games

2012-04-29 21:07:04 -------- d-sh--w- c:\windows\system32\AI_RecycleBin

2012-04-29 21:06:53 -------- d-----w- c:\program files\Aeria Games

2012-04-28 01:41:59 -------- d-----w- C:\e

2012-04-28 01:32:44 88064 ----a-w- c:\programdata\Ql4JYIqF.exe

2012-04-27 16:22:31 57344 ----a-w- c:\windows\system32\FastUv32.dll

2012-04-27 12:37:34 -------- d-----w- C:\Data

2012-04-27 12:22:40 88064 ----a-w- c:\programdata\E027A1A4.exe

2012-04-27 11:52:47 -------- d-----w- c:\program files\Cisco Systems

2012-04-27 11:46:15 -------- d-----w- c:\programdata\Cisco Systems

2012-04-25 20:11:15 -------- d-----w- c:\program files\THQ

2012-04-25 13:56:08 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-04-25 13:55:57 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-23 14:23:48 2515790 ----a-w- c:\windows\system32\nvcoproc.bin

2012-04-23 13:16:54 -------- d-----w- c:\programdata\Battle.net

2012-04-18 21:03:39 -------- d-----w- c:\program files\Wild Tangent

2012-04-06 15:22:18 -------- d-----w- c:\users\joe\appdata\roaming\calibre

2012-04-06 15:22:06 -------- d-----w- c:\program files\Calibre2


==================== Find3M ====================


2012-05-04 20:16:02 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-01 14:56:21 249856 ------w- c:\windows\Setup1.exe

2012-04-01 14:56:20 73216 ----a-w- c:\windows\ST6UNST.EXE

2012-03-23 14:46:21 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-03-09 23:27:17 94208 ----a-w- c:\windows\DIIUnin.exe

2012-03-09 23:27:17 2829 ----a-w- c:\windows\DIIUnin.pif

2012-02-29 20:56:41 3881792 ----a-w- c:\windows\system32\nvcpl.dll

2012-02-29 20:55:16 2719040 ----a-w- c:\windows\system32\nvsvc.dll

2012-02-29 20:53:47 108352 ----a-w- c:\windows\system32\nvmctray.dll

2012-02-29 20:53:46 645440 ----a-w- c:\windows\system32\nvvsvc.exe

2012-02-29 20:53:46 62272 ----a-w- c:\windows\system32\nvshext.dll

2012-02-29 17:26:56 416064 ----a-w- c:\windows\system32\nvStreaming.exe


============= FINISH: 8:52:07.43 ===============

Link to post
Share on other sites

Unfortunately you have a nasty rootkit infection. Please read the following information first.



One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



Going over your logs I noticed that you have BitTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.



Please download ComboFix from one of these locations:


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

  • 1 month later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.