Jump to content

Infected by Smart Fortress 2012


Recommended Posts

Hi,

I have been infected by Smart Fortress 2012 so I ran my Antivirus (it quarantined some trojans) then I ran the following programs in this order:

RogueKiller (2 reports)

MBAM

ZHPDiag

OTL (reports OTL and Extra)

Below the link with all the reports:

Link Cjoint

Smart Fortress still appears in the list of programs and I don't understand what the reports say about this.

Does anyone know how to read and understand the reports and could tell me what I have to do now?

Thanks

Edited by Maurice Naggar
Link to post
Share on other sites

Hello mattam.

Are you being helped elsewhere? Please only post to one help forum.

We do not look for logs on other venues, unless there is a compelling reason.

If you wish guided help here, then copy & paste the contents of logs here ---- when you post a reply, and paste logs inside reply-box.

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please COPY & Paste the following logs in your next reply: DDS.txt Attach.txt

Link to post
Share on other sites

Hi

Please not that I am not being helped elsewhere, I just tried to run the softwares I saw where proposed on the net to solve the same problem but I don't know how to interprete the logs I got.

Below the DDS.txt

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer:

Run by Administrator at 12:51:36 on 2012-05-18

Microsoft Windows 7 Professional

.

AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}

SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\ibmpmsvc.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k WbioSvcGroup

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe

C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe

C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kLenovo.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe

C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\rundll32.exe

C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Windows\System32\TpShocks.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Windows\System32\StikyNot.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe

C:\Program Files (x86)\Digital Line Detect\DLG.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\rundll32.exe

C:\Program Files (x86)\HSPA USB MODEM\ModemListener.exe

C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\Program Files (x86)\Lenovo\System Update\SUService.exe

C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Lenovo\Rescue and Recovery\rrservice.exe

C:\Program Files (x86)\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Program Files (x86)\Texmaker\texmaker.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\hasplms.exe

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

C:\Windows\splwow64.exe

C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\MATLAB\R2011b\bin\win64\MATLAB.exe

C:\Windows\system32\DllHost.exe

C:\Windows\explorer.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\explorer.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://lenovo.msn.com

uDefault_Page_URL = hxxp://lenovo.msn.com

mWinlogon: Userinit=userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - C:\Program Files (x86)\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe

mRun: [iMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"

mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe

mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor

mRun: [Message Center Plus] C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe /start

mRun: [<NO NAME>]

mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun: [ModemListener] C:\Program Files (x86)\HSPA USB MODEM\ModemListener.exe start

mRun: [Alcatel X220 HSPA USB Modem]

mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\ThinkPad\Bluetooth Software\BTTray.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DIGITA~1.LNK - C:\Program Files (x86)\Digital Line Detect\DLG.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105

IE: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files (x86)\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

TCP: DhcpNameServer = 10.0.0.138

TCP: Interfaces\{482241B3-EE32-4072-B9CB-589EB26AF5F2} : DhcpNameServer = 192.168.1.254 0.0.0.0

TCP: Interfaces\{DB24004D-0B47-44C8-912C-7C93D5EEE698} : DhcpNameServer = 10.0.0.138

TCP: Interfaces\{DB24004D-0B47-44C8-912C-7C93D5EEE698}\140707C65602E4564777F627B602269333133653 : DhcpNameServer = 10.0.1.1

TCP: Interfaces\{DB24004D-0B47-44C8-912C-7C93D5EEE698}\14971647F6572737 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{DB24004D-0B47-44C8-912C-7C93D5EEE698}\2456A75617D2E474E4F5134344634344644303635414 : DhcpNameServer = 10.0.0.138

TCP: Interfaces\{DB24004D-0B47-44C8-912C-7C93D5EEE698}\356425027596649602055726C69636 : DhcpNameServer = 109.0.66.10 109.0.66.20

TCP: Interfaces\{DB24004D-0B47-44C8-912C-7C93D5EEE698}\358616162756A5564656B6745756374737 : DhcpNameServer = 208.67.222.222 208.67.220.220

TCP: Interfaces\{DB24004D-0B47-44C8-912C-7C93D5EEE698}\3596567656D296E66796475637 : DhcpNameServer = 10.101.253.52 10.101.253.53

TCP: Interfaces\{DB24004D-0B47-44C8-912C-7C93D5EEE698}\8455A494D23747166666D237475746 : DhcpNameServer = 128.139.6.1 128.139.4.3

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

LSA: Notification Packages = scecli C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll ACGina

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: IePasswordManagerHelper Class: {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files (x86)\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

BHO-X64: Password Manager Browser Helper Object - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [iMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"

mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe

mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor

mRun-x64: [Message Center Plus] C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe /start

mRun-x64: [(Default)]

mRun-x64: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun-x64: [ModemListener] C:\Program Files (x86)\HSPA USB MODEM\ModemListener.exe start

mRun-x64: [Alcatel X220 HSPA USB Modem]

mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\b4x04rvr.default\

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npornap.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

============= SERVICES / DRIVERS ===============

.

R0 DzHDD64;DzHDD64;C:\Windows\system32\DRIVERS\DzHDD64.sys --> C:\Windows\system32\DRIVERS\DzHDD64.sys [?]

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM64.sys --> C:\Windows\system32\DRIVERS\ApsHM64.sys [?]

R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 aksdf;aksdf;\??\C:\Windows\system32\drivers\aksdf.sys --> C:\Windows\system32\drivers\aksdf.sys [?]

R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]

R2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]

R2 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]

R2 smihlp;SMI Helper Driver (smihlp);C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [2009-3-14 13840]

R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]

R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]

R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]

R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

R3 qcfilterlno2k;Gobi 2000 USB Composite Device Filter Driver(05C6-9205);C:\Windows\system32\DRIVERS\qcfilterlno2k.sys --> C:\Windows\system32\DRIVERS\qcfilterlno2k.sys [?]

R3 qcusbnetlno2k;Gobi 2000 USB-NDIS miniport(05C6-9205);C:\Windows\system32\DRIVERS\qcusbnetlno2k.sys --> C:\Windows\system32\DRIVERS\qcusbnetlno2k.sys [?]

R3 qcusbserlno2k;Gobi 2000 USB Device for Legacy Serial Communication(05C6-9205);C:\Windows\system32\DRIVERS\qcusbserlno2k.sys --> C:\Windows\system32\DRIVERS\qcusbserlno2k.sys [?]

R3 TVTI2C;Lenovo SM bus driver;C:\Windows\system32\DRIVERS\Tvti2c.sys --> C:\Windows\system32\DRIVERS\Tvti2c.sys [?]

S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]

S3 esgiguard;esgiguard;C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-3-2 13088]

S3 jrdusbser;Mobile Connector Device for Legacy Serial Communication;C:\Windows\system32\DRIVERS\jrdusbser.sys --> C:\Windows\system32\DRIVERS\jrdusbser.sys [?]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]

.

=============== Created Last 30 ================

.

2012-05-18 08:03:46 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{62A03384-012D-45B3-95D8-E2F27AC4F910}\mpengine.dll

2012-05-16 10:39:21 -------- d-----w- C:\ProgramData\Laboratory Imaging

2012-05-16 10:36:30 71040 ----a-w- C:\Windows\System32\drivers\aksdf.sys

2012-05-16 10:36:29 -------- d-----w- C:\Program Files (x86)\Common Files\Aladdin Shared

2012-05-16 10:36:28 3750400 ----a-w- C:\Windows\System32\hasplms.exe

2012-05-16 10:36:28 3750400 ----a-w- C:\Windows\System32\aksllmtp.exe

2012-05-16 10:36:28 130816 ----a-w- C:\Windows\System32\drivers\aksfridge.sys

2012-05-16 10:36:27 318464 ----a-w- C:\Windows\System32\drivers\hardlock.sys

2012-05-16 10:36:09 -------- d-----w- C:\Program Files (x86)\Common Files\PerkinElmer Installer for Aladdin Hasp Drivers

2012-05-16 10:36:07 -------- d-----w- C:\Program Files\Volocity

2012-05-15 11:19:54 512 ----a-w- C:\PhysicalMBR.bin

2012-05-15 02:16:21 512 ----a-w- C:\PhysicalDisk0_MBR.bin

2012-05-15 02:04:10 -------- d-----w- C:\ZHP

2012-05-15 01:59:19 -------- d-----w- C:\Program Files (x86)\ZHPDiag

2012-05-15 00:15:04 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Malwarebytes

2012-05-15 00:14:56 -------- d-----w- C:\ProgramData\Malwarebytes

2012-05-15 00:14:55 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-05-15 00:14:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-05-14 23:38:29 -------- d-----w- C:\Users\Administrator\AppData\Local\ESET

2012-05-14 23:23:39 110080 ----a-r- C:\Users\Administrator\AppData\Roaming\Microsoft\Installer\{5B210B8A-B66E-4702-B44D-0D6F388D29EB}\IconF7A21AF7.exe

2012-05-14 23:23:39 110080 ----a-r- C:\Users\Administrator\AppData\Roaming\Microsoft\Installer\{5B210B8A-B66E-4702-B44D-0D6F388D29EB}\IconD7F16134.exe

2012-05-14 23:23:39 110080 ----a-r- C:\Users\Administrator\AppData\Roaming\Microsoft\Installer\{5B210B8A-B66E-4702-B44D-0D6F388D29EB}\Icon1226A4C5.exe

2012-05-14 23:23:38 -------- d-----w- C:\sh4ldr

2012-05-14 23:23:38 -------- d-----w- C:\Program Files\Enigma Software Group

2012-05-14 23:22:56 -------- d-----w- C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP

2012-05-14 23:22:55 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard

2012-05-14 22:44:53 -------- d-----w- C:\Program Files\Perfect Uninstaller

2012-05-14 18:50:44 -------- d-----w- C:\ProgramData\B7E8586B0001E24603DE28E0B4EB2331

2012-05-10 15:31:40 1544704 ----a-w- C:\Windows\System32\DWrite.dll

2012-05-10 15:31:40 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll

2012-05-10 15:31:39 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-10 15:31:38 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-10 15:31:38 3146240 ----a-w- C:\Windows\System32\win32k.sys

2012-05-10 15:31:37 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-05-10 15:29:17 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys

2012-05-10 15:27:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-05-10 15:01:02 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-05-10 15:01:02 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL

2012-05-10 15:01:02 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll

2012-05-10 15:01:02 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll

2012-05-10 15:01:02 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll

2012-04-22 08:47:05 81408 ----a-w- C:\Windows\System32\imagehlp.dll

2012-04-22 08:47:05 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys

2012-04-22 08:47:05 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll

2012-04-22 08:47:04 5120 ----a-w- C:\Windows\SysWow64\wmi.dll

2012-04-22 08:47:04 5120 ----a-w- C:\Windows\System32\wmi.dll

2012-04-22 08:47:04 220672 ----a-w- C:\Windows\System32\wintrust.dll

2012-04-22 08:47:04 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

.

==================== Find3M ====================

.

2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll

2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll

2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-02-23 07:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe

.

============= FINISH: 12:52:50.22 ===============

Link to post
Share on other sites

These steps are for mattam only. If you are a casual viewer, do NOT try this on your system!

If you are not mattam and have a similar problem, do NOT post here; start your own topic

The fixes in this Topic are for this system only! Do not apply the fix-instructions from this topic to your System or any other one!

eusa_hand.gif If you are a casual viewer, do NOT try this on your system!

If you are not the originating-member-poster and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gifDo NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

You will want to print out or copy these instructions to Notepad for Safe offline reference!

Do not do any websurfing on this system. Only go to this forum and the sites I guide you to for tools or online scans.

Please follow my guidance

Close any of your open programs while you run these tools.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

To show all files:

  • Go to your Desktop
  • Double-Click the Computer icon.
  • From the menu options, Select Tools, then Folder Options.
  • Next click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders and drives.
  • Click Apply > OK.

Step 3

Use the instructions outlined by Grinler at this page http://www.bleepingcomputer.com/virus-removal/remove-smart-fortress-2012

Do selected steps of the section titled Automated Removal Instructions for Smart Fortress 2012

I would like for you to do # 1 thru # 11 only

Step 4

After finishing # 11, do this:

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

After the MBAM run is all done, Copy and Paste the last MBAM scan log.

Step 5

Now Logoff and Restart pc into Normal mode of Windows.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://go.eset.com/us/online-scanner/faq

    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Re-enable the antivirus program.

Reply with copy of the Eset scan log and MBAM scan log for review.

There will be more to do later.

Edited by Maurice Naggar
Link to post
Share on other sites

Hi Maurice,

Thanks for your reply

Could you please explain me what is happening with my computer and what the procedure you indicate is going to do?

Do you mean that I should not surf the web with my computer before this?

Thanks

mattam

Link to post
Share on other sites

Another question:

I already installed MBAM through my computer when it was infected and ran it in normal mode.

But I see that you ask me to follow steps 1 to 11 of the removal guide which says that one should use chameleon and another computer to do this.

Does this mean that I need to uninstall the current MBAM and follow the steps with chameleon ... or can I run the MBAM scan with my current version of MBAM?

Link to post
Share on other sites

I tried to run ERUNT but I don't understand what you say:

'say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later"

Do you mean that I should uncheck the option to get a lauch icon desktop for ERUNTand NTREGOPT? Or something else?

Thanks

mattam

Link to post
Share on other sites

What is happening to your pc is that it has a rogue malware infection.

What the procedures will do is to start to remove it.

This will likely take several passes, so have paticence.

No, do not uninstall the MBAM that is already there.

You can also just temporarily Turn off your antivirus program before starting MBAM.

(we especially want to turn it off when doing an ESET online scan or any other online-scan ).

If you will go ahead with the things I outlined, we will make starting headway.

Keep in mind, I am not online all the time. So it's best to compose all your questions into one single post.

Link to post
Share on other sites

Hi,

I ran FixExec, the result is: no process found to kill

I ran MBAM.

I forgot my password for ESET so I can't distable my antivirus for now, I'm waiting for getting the unlock password to perform Step 5.

For now, below the MBAM report:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.14.07

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer

tt :: MATTAM [limited]

21/05/2012 17:16:50

mbam-log-2012-05-21 (17-16-50).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 819242

Time elapsed: 1 hour(s), 18 minute(s), 16 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

I tried to recover it but in fact I can't. There is a problem which makes the unlock eset utility unefficient.

So the technical support told me the only solution would be to uninstall eset in safe mode and then to reinstall it and give it a new password.

But as it is very time consuming and for now we did not find anything on the computer (MBAM...) for the last runs, I don't think I will do all this only because of the password.

OK, I'll run eset full scan in the meantime.

Link to post
Share on other sites

It would be to your advantage to do the Eset un-install and re-install because

a) the online scan will take much, much longer with your resident A-V active

b) we will need occasion later to "temporarily" turn off your antivirus in order to run some other tools !!

Link to post
Share on other sites

The ESET a-v scan detected nothing, as shown by the summary.

Number of scanned objects: 731151

Number of threats found: 0

Let's have you do this:

Logoff and Restart.

as soon as pc is restarting, tap and re-tap F8-function key to get to Advanced Boot Options.

Use Up/Down arrow keys on keyboard to select Safe Mode with Networking

and tap Enter.

Have infinite patience as Windows loads.

Then download, save and run DrWeb Cure-It

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Step 2

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, copy & paste the Dr Web Cure-it log and

the MBAM scan log and

tell me, How is the system now :excl:

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.