Jump to content

mbam can't remove trojan.agent


Recommended Posts

I ran mbam scan and it said: c:\system volume information\iexplore.exe (Trojan.Agent) -> Delete on reboot. I check the box and reboot, but it did not get removed and shows up again. Does anyone know if this is a real alert and what to do about it? Thanks!

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514

Run by user at 10:39:40 on 2012-07-13

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8122.5136 [GMT -7:00]

.

AV: Kaspersky PURE *Enabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Kaspersky PURE *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}

FW: Kaspersky PURE *Enabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\ibmpmsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe

C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\PROGRA~2\GFI\GFIBAC~1\GFIHInst.exe

C:\PROGRA~2\GFI\GFIBAC~1\GFIHSC~1.EXE

C:\Windows\system32\svchost.exe -k HsfXAudioService

C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe

C:\Program Files (x86)\LG Electronics\LGE LTE Driver\LGVL600SVC.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe

C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008\MSSQL\Binn\sqlservr.exe

C:\PROGRA~2\MICROS~1\MSSQL\binn\sqlservr.exe

C:\Program Files (x86)\PGP Corporation\PGP Desktop\RDDService.exe

c:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\UI0Detect.exe

C:\Windows\SysWOW64\vmnat.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe

C:\Windows\SysWOW64\vmnetdhcp.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\TrueCrypt\TrueCrypt.exe

C:\Program Files (x86)\Citrix\GoToMeeting\978\g2mstart.exe

C:\Program Files (x86)\GFI\GFI Backup 2009 - Home Edition\GFIAgent.exe

C:\Program Files (x86)\Grindstone 2\Grindstone 2.exe

C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Program Files (x86)\SugarSync\SugarSyncManager.exe

C:\Program Files (x86)\Digital Line Detect\DLG.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe

C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files (x86)\Citrix\GoToMeeting\978\g2mcomm.exe

C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe

C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files (x86)\Citrix\GoToMeeting\978\g2mlauncher.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPcbt64.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe

C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Lenovo\System Update\SUService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\SSH Communications Security\SSH Secure Shell\SshClient.exe

C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uLocal Page =

uSearch Page =

uSearch Bar =

uInternet Settings,ProxyServer = 127.0.0.1:8008

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll

BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO: {89867A4A-BDEE-4259-964A-B8E87C4892F3} - No File

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: {EF91116F-DE92-4286-9087-093085152182} - No File

uRun: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a logon /a favorites

uRun: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\978\g2mstart.exe" "/Trigger RunAtLogon"

uRun: [Adobe Reader Synchronizer] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe"

uRun: [GFI Backup 2009 - Home Edition] "C:\PROGRA~2\GFI\GFIBAC~1\GFIAgent.exe"

uRun: [Grindstone 2] "C:\Program Files (x86)\Grindstone 2\Grindstone 2.exe"

uRun: [Google Update] "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [sugarSync] "C:\Program Files (x86)\SugarSync\SugarSyncManager.exe" -startInTray -usedelay=true

mRun: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [tvncontrol] "C:\Program Files (x86)\TightVNC\tvnserver.exe" -controlservice -slave

mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"

mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce: [1] C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe /r /p

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DIGITA~1.LNK - C:\Program Files (x86)\Digital Line Detect\DLG.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PGPTRA~1.LNK - C:\Windows\Installer\{4AF62A05-A1AB-4FE0-8E1F-8F63C2C59A60}\Icon6560581611.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SERVIC~1.LNK - C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 1 (0x1)

IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll

LSP: C:\Windows\system32\PGPlsp.dll

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: localhost

TCP: DhcpNameServer = 192.168.0.3

TCP: Interfaces\{2CCFB0CD-5876-4F2F-ADDA-E9824C56FC5D} : DhcpNameServer = 66.174.92.14 69.78.96.14

TCP: Interfaces\{3F0830EE-B028-4E2E-A545-6E322E3252F8} : DhcpNameServer = 66.174.92.14 69.78.96.14

TCP: Interfaces\{7D36D253-EC5C-4C21-9AD5-A4C0ACD88EAC} : DhcpNameServer = 66.174.92.14 69.78.96.14

TCP: Interfaces\{E92506A9-D196-4BFB-818B-C270DBA99C9C} : DhcpNameServer = 10.48.9.21

TCP: Interfaces\{F20FD684-61D7-4368-BD9A-FFF1E1CD6830} : DhcpNameServer = 192.168.0.3

TCP: Interfaces\{F20FD684-61D7-4368-BD9A-FFF1E1CD6830}\6494255464C495D27657563747 : DhcpNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{F20FD684-61D7-4368-BD9A-FFF1E1CD6830}\77966696F5271696C6 : DhcpNameServer = 208.67.222.222 208.67.220.220

TCP: Interfaces\{F20FD684-61D7-4368-BD9A-FFF1E1CD6830}\B47463E43494 : DhcpNameServer = 66.76.175.70 208.180.42.100

TCP: Interfaces\{F20FD684-61D7-4368-BD9A-FFF1E1CD6830}\C696E6B6379737 : DhcpNameServer = 66.76.175.70 208.180.42.100

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll

AppInit_DLLs: PGPmapih.dll, C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll, C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll acaptuser32.dll

LSA: Notification Packages = scecli PGPpwflt

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll

BHO-X64: IEVkbdBHO - No File

BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO-X64: {89867A4A-BDEE-4259-964A-B8E87C4892F3} - No File

BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll

BHO-X64: link filter bho - No File

BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO-X64: SmartSelect - No File

TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB-X64: {EF91116F-DE92-4286-9087-093085152182} - No File

mRun-x64: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

mRun-x64: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [tvncontrol] "C:\Program Files (x86)\TightVNC\tvnserver.exe" -controlservice -slave

mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"

mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

mRun-x64: [(Default)]

mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

mRun-x64: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce-x64: [1] C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe /r /p

IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

AppInit_DLLs-X64: PGPmapih.dll, C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll, C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll acaptuser32.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2gibju6e.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: network.proxy.ftp - localhost

FF - prefs.js: network.proxy.ftp_port - 8080

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.socks - localhost

FF - prefs.js: network.proxy.socks_port - 8080

FF - prefs.js: network.proxy.ssl - localhost

FF - prefs.js: network.proxy.ssl_port - 8080

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: C:\Users\user\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Users\user\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\user\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll

.

============= SERVICES / DRIVERS ===============

.

R0 CSCrySec;InfoWatch Encrypt Sector Library driver;C:\Windows\system32\DRIVERS\CSCrySec.sys --> C:\Windows\system32\DRIVERS\CSCrySec.sys [?]

R0 KLBG;Kaspersky Lab Boot Guard Driver;C:\Windows\system32\DRIVERS\klbg.sys --> C:\Windows\system32\DRIVERS\klbg.sys [?]

R0 pgpfs;PGP File Sharing;C:\Windows\system32\Drivers\PGPfsfd.sys --> C:\Windows\system32\Drivers\PGPfsfd.sys [?]

R0 Pgpwdefs;Pgpwdefs;C:\Windows\system32\DRIVERS\Pgpwdefs.sys --> C:\Windows\system32\DRIVERS\Pgpwdefs.sys [?]

R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;C:\Windows\system32\DRIVERS\CSVirtualDiskDrv.sys --> C:\Windows\system32\DRIVERS\CSVirtualDiskDrv.sys [?]

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys --> C:\Windows\system32\DRIVERS\klim6.sys [?]

R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]

R1 RsFx0151;RsFx0151 Driver;C:\Windows\system32\DRIVERS\RsFx0151.sys --> C:\Windows\system32\DRIVERS\RsFx0151.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-10-19 661504]

R2 AVP;Kaspersky PURE;C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe [2010-10-1 348760]

R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-10-20 135440]

R2 CSObjectsSrv;CryptoStorage control service;C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]

R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;C:\PROGRA~2\GFI\GFIBAC~1\GFIHInst.exe [2011-10-22 440616]

R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;C:\PROGRA~2\GFI\GFIBAC~1\GFIHSC~1.EXE [2011-10-22 2324848]

R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]

R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2011-9-27 50536]

R2 LGE NDIS Connection Service;LGE NDIS Connection Service;C:\Program Files (x86)\LG Electronics\LGE LTE Driver\LGVL600SVC.exe [2010-12-13 140224]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-13 655944]

R2 MsDtsServer100;SQL Server Integration Services 10.0;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2011-6-17 210784]

R2 MSSQL$SQL2008;SQL Server (SQL2008);C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008\MSSQL\Binn\sqlservr.exe [2011-6-17 62111072]

R2 PGP RDD Service;PGP RDD Service;C:\Program Files (x86)\PGP Corporation\PGP Desktop\RDDService.exe [2011-9-19 1588456]

R2 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2011-11-25 145256]

R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2011-11-25 142696]

R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\Windows\system32\DRIVERS\AMPPAL.sys --> C:\Windows\system32\DRIVERS\AMPPAL.sys [?]

R3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]

R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]

R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y62x64.sys --> C:\Windows\system32\DRIVERS\e1y62x64.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\system32\DRIVERS\klmouflt.sys --> C:\Windows\system32\DRIVERS\klmouflt.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S1 Uim_VIM;UIM Virtual Image Plugin;C:\Windows\system32\Drivers\uim_vimx64.sys --> C:\Windows\system32\Drivers\uim_vimx64.sys [?]

S2 BotkindSyncService;Botkind Service;C:\Program Files\Allway Sync\Bin\SyncService.exe service --> C:\Program Files\Allway Sync\Bin\SyncService.exe service [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2011-11-25 101736]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-6-17 250056]

S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\Windows\system32\DRIVERS\amppal.sys --> C:\Windows\system32\DRIVERS\amppal.sys [?]

S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-10-2 1038088]

S3 LGELTEBus;LGE Composite Device;C:\Windows\system32\DRIVERS\LGELTEBus.sys --> C:\Windows\system32\DRIVERS\LGELTEBus.sys [?]

S3 LGELTEmdm;LGE LTE USB Device for Modem Communication;C:\Windows\system32\DRIVERS\LGELTEmdm.sys --> C:\Windows\system32\DRIVERS\LGELTEmdm.sys [?]

S3 LGELTEMux;LGE LTE Mux Enumerator ;C:\Windows\system32\DRIVERS\LGELTEMux.sys --> C:\Windows\system32\DRIVERS\LGELTEMux.sys [?]

S3 LGELTENdis;LGE USB NDIS Miniport Ethernet Adapter Service;C:\Windows\system32\DRIVERS\LGELTENdis.sys --> C:\Windows\system32\DRIVERS\LGELTENdis.sys [?]

S3 LGELTEprt;LGE USB Device for Serial Communication;C:\Windows\system32\DRIVERS\LGELTEprt.sys --> C:\Windows\system32\DRIVERS\LGELTEprt.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-7 113120]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]

S3 SQLAgent$SQL2008;SQL Server Agent (SQL2008);C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008\MSSQL\Binn\SQLAGENT.EXE [2011-6-17 431456]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 tvnserver;TightVNC Server;C:\Program Files (x86)\TightVNC\tvnserver.exe [2011-8-3 828944]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 59744]

.

=============== Created Last 30 ================

.

2012-07-13 16:11:39 -------- d-----w- C:\Users\user\AppData\Roaming\Malwarebytes

2012-07-13 16:11:27 -------- d-----w- C:\ProgramData\Malwarebytes

2012-07-13 16:11:26 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-07-13 16:11:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-07-13 07:06:45 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{64E9F20F-969B-4193-BA72-35EC69D79A69}\mpengine.dll

2012-07-12 17:52:16 -------- d-----w- C:\Users\user\AppData\Roaming\AV Burning Pro

2012-07-12 17:51:59 -------- d-----w- C:\Program Files (x86)\AV Burning Pro

2012-07-11 15:22:53 -------- d-----w- C:\Users\user\AppData\Roaming\pdfforge

2012-07-11 15:22:48 95744 ----a-w- C:\Windows\System32\pdfcmon.dll

2012-07-11 15:22:48 137000 ----a-w- C:\Windows\SysWow64\MSMAPI32.OCX

2012-07-11 15:22:46 23552 ----a-w- C:\Windows\SysWow64\MSMPIDE.DLL

2012-07-11 15:22:44 -------- d-----w- C:\Program Files (x86)\PDFCreator

2012-07-10 19:43:18 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-10 17:32:39 -------- d-----w- C:\accessauditorsvo - Copy

2012-07-03 21:43:14 -------- d-----w- C:\Users\user\AppData\Roaming\PictureMover

2012-07-03 21:42:18 -------- d-----w- C:\ProgramData\PictureMover

2012-07-03 21:42:18 -------- d-----w- C:\Program Files (x86)\PictureMover

2012-07-03 06:47:54 -------- d-----w- C:\Windows\1CE60928832549A88B06633E48DD2B67.TMP

2012-07-03 06:47:05 -------- d-----w- C:\Users\user\1CE60928832549A88B06633E48DD2B67.TMP

2012-07-01 18:17:38 -------- d-----w- C:\Users\user\AppData\Roaming\MySQL

2012-07-01 18:17:19 -------- d-----w- C:\Program Files (x86)\MySQL

2012-06-23 03:30:28 -------- d-----w- C:\Program Files\iTunes

2012-06-23 03:30:28 -------- d-----w- C:\Program Files\iPod

2012-06-23 03:30:28 -------- d-----w- C:\Program Files (x86)\iTunes

2012-06-22 23:55:11 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-22 23:55:00 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-22 23:54:44 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-22 23:54:44 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-18 02:49:35 -------- d-----w- C:\Users\user\AppData\Local\Research In Motion

2012-06-18 02:43:29 44032 ----a-w- C:\Windows\System32\drivers\RimSerial_AMD64.sys

2012-06-18 02:43:07 -------- d-----w- C:\Program Files (x86)\Common Files\XCPCSync.OEM

2012-06-17 20:27:00 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll

2012-06-17 20:27:00 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll

2012-06-17 20:26:37 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-17 20:26:37 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

.

==================== Find3M ====================

.

2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys

2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll

2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2012-05-15 04:01:31 1188864 ----a-w- C:\Windows\System32\wininet.dll

2012-05-15 03:03:54 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-04-24 05:37:37 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-04-24 05:37:37 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\System32\crypt32.dll

2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

2012-04-20 03:45:41 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2012-04-20 03:16:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-04-19 03:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2012-04-19 03:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

.

============= FINISH: 10:42:02.65 ===============

Attach.txt

DDS.txt

Link to post
Share on other sites

Welcome to the forum.

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Then.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!!)

Post back the report.

MrC

Link to post
Share on other sites

Thank MrC,

I updated and ran MBAM and got the same answer, c:\system volume information\iexplore.exe (Trojan.Agent) -> Delete on reboot.

Clicked to fix, said had to reboot to fix just like before. Then ran roguekiller and got the report below.

Any ideas if that's a real item in sysvolinf?

Thank you!

------------------------------------------

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.15.09

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

user:: HOST [administrator]

Protection: Disabled

7/15/2012 9:58:28 AM

mbam-log-2012-07-15 (09-58-28).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 240744

Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

c:\system volume information\iexplore.exe (Trojan.Agent) -> Delete on reboot.

(end)

-------------------------------

RogueKiller V7.6.3 [07/08/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: user[Admin rights]

Mode: Scan -- Date: 07/15/2012 10:12:41

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤

[ROGUE ST] HKLM\[...]\Wow6432Node\RunOnce : 1 (C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe /r /p) -> FOUND

[bLACKLIST DLL] HKLM\[...]\Wow6432Node\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript) -> FOUND

[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (127.0.0.1:8008) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: OCZ-VERTEX2 +++++

--- User ---

[MBR] 8a45abda90766fc737f27abce43c70e3

[bSP] 92547877cd8631050d5f3799c87def38 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 228834 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

OK, lets run some scans.....

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

OK, that scan was clean, please do this.......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Do you know what these two temp files are?

2012-07-03 06:47 . 2012-07-03 06:47 -------- d-----w- c:\windows\1CE60928832549A88B06633E48DD2B67.TMP

2012-07-03 06:47 . 2012-07-03 06:47 -------- d-----w- c:\users\user\1CE60928832549A88B06633E48DD2B67.TMP

-----------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Let me know, MrC

Link to post
Share on other sites

They are folders with a bunch of entries like below. Some are signed and some or not. I uploaded a few of them to virustotal and some were clean,

https://www.virustotal.com/file/8e758e1f23c5a3d52967fe0a7e80592482932db9dcceaa2ca6f5416872ab41b8/analysis/1342538605/

a couple showed one hit out of 42 like this one:

https://www.virustotal.com/file/85f4ba559c8e4e8a0dcdb6c86d5d7740797b9f6e0a06b8735c5f163964e7b906/analysis/

Interestingly, MBAM quick scan now shows clean. Do you think it really was an infection somewhere or just a random result?

Thanks!

$ ls -l

total 1572

-rwx------+ 1 Administrators Domain Users 26311 Jul 2 23:47 WiseCustomCall.dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla.dl

l

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla18.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla21.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla22.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla23.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla24.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla25.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla26.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla27.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla33.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla35.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla36.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla37.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla38.

dll

-rwx------+ 1 Administrators Domain Users 29488 Jul 2 23:47 WiseCustomCalla39.

dll

-rwx------+ 1 Administrators Domain Users 111476 Jul 2 23:47 WiseCustomCalla41.

dll

-rwx------+ 1 Administrators Domain Users 111269 Jul 2 23:47 WiseCustomCalla42.

dll

-rwx------+ 1 Administrators Domain Users 111260 Jul 2 23:47 WiseCustomCalla43.

dll

-rwx------+ 1 Administrators Domain Users 110500 Jul 2 23:47 WiseCustomCalla44.

dll

-rwx------+ 1 Administrators Domain Users 110797 Jul 2 23:47 WiseCustomCalla46.

dll

-rwx------+ 1 Administrators Domain Users 110936 Jul 2 23:47 WiseCustomCalla47.

dll

-rwx------+ 1 Administrators Domain Users 116956 Jul 2 23:47 WiseCustomCalla48.

dll

-rwx------+ 1 Administrators Domain Users 110799 Jul 2 23:47 WiseCustomCalla49.

dll

-rwx------+ 1 Administrators Domain Users 125719 Jul 2 23:47 WiseCustomCalla50.

dll

-rwx------+ 1 Administrators Domain Users 45056 Jul 2 23:47 WiseCustomCalla51.

dll

Link to post
Share on other sites

Those folders are OK...the MB scan was clean, you're set to go.

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.