Trojan.LameShield

[Unreasonable]

Hi guys,

Unfortunately when running MBAM a short time ago it found 2 Trojan.LameShield files.

I've followed the instructions in the "I'm Infected" sticky thread.

The necessary logs are below.

I'm quite terrible with this kind of thing so any assistance in safely removing the infected files would be greatly appreciated.

Thanks

-------------------------------

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 17/04/2011 9:10:40 AM

System Uptime: 25/09/2012 6:50:58 PM (5 hours ago)

.

Motherboard: Acer | | Aspire 5742

Processor: Intel® Core™ i5 CPU M 480 @ 2.67GHz | CPU | 2667/1066mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 452 GiB total, 380.229 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP122: 29/07/2012 7:00:13 PM - Windows Backup

RP123: 5/08/2012 7:00:10 PM - Windows Backup

RP124: 12/08/2012 7:00:10 PM - Windows Backup

RP125: 16/08/2012 8:43:00 PM - Windows Update

RP126: 19/08/2012 7:00:10 PM - Windows Backup

RP127: 26/08/2012 7:00:11 PM - Windows Backup

RP128: 2/09/2012 7:00:09 PM - Windows Backup

RP129: 9/09/2012 7:00:10 PM - Windows Backup

RP130: 14/09/2012 9:07:22 PM - Windows Update

RP131: 16/09/2012 3:19:11 PM - Installed Logitech Harmony Remote Software

RP132: 16/09/2012 10:42:31 PM - Windows Backup

RP133: 23/09/2012 10:06:37 AM - Windows Update

RP134: 23/09/2012 11:04:39 PM - Windows Backup

.

==== Installed Programs ======================

.

Acer Backup Manager

Acer Crystal Eye webcam

Acer ePower Management

Acer eRecovery Management

Acer GameZone Console

Acer Registration

Acer ScreenSaver

Acer Updater

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.5.2 MUI

Airport Mania First Flight

Amazonia

Backup Manager Basic

Bing Bar

Bing Rewards Client Installer

Cake Mania

CyberLink PowerDVD 9

D3DX10

Dream Day First Home

eSobi v2

Farm Frenzy 2

Galapago

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

Heroes of Hellas

Identity Card

Intel® Control Center

Intel® Graphics Media Accelerator Driver

Intel® Management Engine Components

Intel® Rapid Storage Technology

Junk Mail filter update

Launch Manager

Logitech Harmony Remote Software

Malwarebytes Anti-Malware version 1.65.0.1400

Merriam Websters Spell Jam

Mesh Runtime

Microsoft Office 2010

Microsoft Office Click-to-Run 2010

Microsoft Office Starter 2010 - English

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MSVCRT

MSVCRT_amd64

MyWinLocker

MyWinLocker Suite

Norton Internet Security

Norton Online Backup

NTI Media Maker 9

Poker Pop

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Shredder

Spin & Win

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Welcome Center

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

.

==== End Of File ===========================

-----------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514

Run by booboo at 23:57:18 on 2012-09-25

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.3767.1797 [GMT 10:00]

.

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Launch Manager\dsiwmis.exe

C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Acer\Registration\GREGsvc.exe

C:\Program Files\Acer\Acer Updater\UpdaterService.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe

C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe

C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\ccSvcHst.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\igfxext.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe

C:\Program Files (x86)\Launch Manager\LManager.exe

C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe

C:\Program Files (x86)\Launch Manager\LMworker.exe

C:\Program Files\Elantech\ETDCtrlHelper.exe

C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe

C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Users\booboo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\booboo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\booboo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\booboo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\booboo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\booboo\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = Preserve

mDefault_Page_URL = hxxp://acer.msn.com

mStart Page = hxxp://acer.msn.com

mWinlogon: Userinit=userinit.exe

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll

BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\coIEPlg.dll

BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\IPS\IPSBHO.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\coIEPlg.dll

TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll"

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [Google Update] "C:\Users\booboo\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [suiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"

mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d

mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"

mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k

mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

TCP: DhcpNameServer = 10.1.1.1

TCP: Interfaces\{6B2F8A57-1FC1-4784-8C4F-4F19E9B299E3} : DhcpNameServer = 10.1.1.1

TCP: Interfaces\{97ABB71F-1463-4BAA-B37F-A96C726DD063} : DhcpNameServer = 10.1.1.1

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO-X64: 0x1 - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll

BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\coIEPlg.dll

BHO-X64: Norton Identity Protection - No File

BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\IPS\IPSBHO.DLL

BHO-X64: Norton Vulnerability Protection - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.8.0.14\coIEPlg.dll

TB-X64: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll"

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun-x64: [suiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"

mRun-x64: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d

mRun-x64: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"

mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [backupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k

mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1308000.00E\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1308000.00E\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1308000.00E\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1308000.00E\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\BASHDefs\20120919.001\BHDrvx64.sys [2012-9-21 1385120]

R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1308000.00E\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1308000.00E\ccSetx64.sys [?]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.5.1.2\Definitions\IPSDefs\20120922.001\IDSviA64.sys [2012-9-25 513184]

R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys --> C:\Windows\system32\DRIVERS\mwlPSDFilter.sys [?]

R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys --> C:\Windows\system32\DRIVERS\mwlPSDNServ.sys [?]

R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys --> C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys [?]

R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1308000.00E\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1308000.00E\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1308000.00E\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1308000.00E\SYMNETS.SYS [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-9 138912]

R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]

R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]

R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]

R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]

R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]

R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]

R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

.

=============== Created Last 30 ================

.

2012-09-12 10:59:58 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys

2012-09-12 10:59:58 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys

2012-09-12 10:59:57 574464 ----a-w- C:\Windows\System32\d3d10level9.dll

2012-09-12 10:59:57 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll

2012-09-12 10:59:56 376688 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-09-12 10:59:56 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

2012-09-12 10:59:56 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys

.

==================== Find3M ====================

.

2012-09-07 07:04:46 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-08-27 11:48:38 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-27 11:48:38 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-08-24 18:05:06 1188864 ----a-w- C:\Windows\System32\wininet.dll

2012-08-24 16:57:48 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-08-24 15:59:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2012-08-24 15:20:39 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-06 02:17:58 37536 ----a-w- C:\Windows\System32\drivers\NISx64\1308000.00E\srtspx64.sys

2012-07-06 02:17:57 737952 ----a-w- C:\Windows\System32\drivers\NISx64\1308000.00E\srtsp64.sys

2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll

2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

.

============= FINISH: 23:58:32.96 ===============

[Maniac]

Hello Unreasonable! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

Step 1

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• aswMBR log

[Unreasonable]

Hi Maniac,

Thanks for your quick reply, I really appreciate it.

The logs requested are below. The MBAM log is the one that detected the problem a few hours ago. I confirm that the 2 infected files are currently quarantined. A subsequent MBAM scan came up clean (I have not posted this one, please let me know if you'd like me to do so).

---------------------------------

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.25.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

booboo :: BOOBOO-PC [administrator]

25/09/2012 11:08:08 PM

mbam-log-2012-09-26 (00-08-25).txt

Scan type: Full scan (C:\|D:\|Q:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 327924

Time elapsed: 45 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Users\booboo\AppData\Local\Apps\2.0\Y4ZW095D.5NN\CJR9JJ1V.64H\clic...exe_f84b370c827b5c7a_0001.0002_none_c4007c683033ad2d\GoogleUpdateSetup.exe (Trojan.LameShield) -> No action taken.

C:\Users\booboo\AppData\Local\Apps\2.0\Y4ZW095D.5NN\CJR9JJ1V.64H\goog...app_f84b370c827b5c7a_0001.0002_3153a04d2ba1813d\GoogleUpdateSetup.exe (Trojan.LameShield) -> No action taken.

(end)

------------------------------------------------------

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-09-26 07:06:44

-----------------------------

07:06:44.490 OS Version: Windows x64 6.1.7601 Service Pack 1

07:06:44.490 Number of processors: 4 586 0x2505

07:06:44.505 ComputerName: BOOBOO-PC UserName: booboo

07:06:46.502 Initialize success

07:07:12.396 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

07:07:12.396 Disk 0 Vendor: ST950032 0001 Size: 476940MB BusType: 3

07:07:12.411 Disk 0 MBR read successfully

07:07:12.411 Disk 0 MBR scan

07:07:12.427 Disk 0 Windows 7 default MBR code

07:07:12.442 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048

07:07:12.442 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176

07:07:12.458 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 462502 MB offset 29566976

07:07:12.474 Disk 0 scanning C:\Windows\system32\drivers

07:07:21.912 Service scanning

07:07:44.672 Modules scanning

07:07:44.672 Disk 0 trace - called modules:

07:07:44.734 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

07:07:44.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800523b060]

07:07:44.750 3 CLASSPNP.SYS[fffff88000dcd43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004feb050]

07:07:44.766 Scan finished successfully

07:08:07.916 Disk 0 MBR has been saved successfully to "C:\Users\booboo\Desktop\MBR.dat"

07:08:07.916 The log file has been saved successfully to "C:\Users\booboo\Desktop\aswMBR.txt"

------------------------------------------------

[Maniac]

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[Unreasonable]

Hi Maniac,

I ran the scan as noted in your post and it all came out clear with no infected files. The log file created doesn't look correct though. It reads:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

The "date modified" next to the log indicates that it was created prior to the actual scan finishing as well.

Should I run the scan again?

[Maniac]

No, that's enough.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and post it in your next reply.

[Unreasonable]

Hi Maniac,

I just want to say thank you once again for your help with this matter.

I downloaded the above program and ran the scan as per your instructions. Upon completion of the scan the result was "no threats detected" so there was no log of detected threats at all.

During the scan I did notice quite a few messages from the software indicating that the certain files were password protected. The names of these items nearly always ended in rar.exe. Is it possible that the malware is hiding in these?

The program did create a full log of the scan, however the file txt file is over 86mb in size so I don't think I'd be able to post it.

[Maniac]

Some of the .exe files are protected by your operating system, because they are critical for it.

How are things now?

[Unreasonable]

With the exception of the two files detected by MBAM there doesn't appear to be any issues. No redirects, pop ups or anything like that with Chrome.

When I used IE8 to run the ESET scanner I noticed it was very slow when loading any webpage. I'm not sure if it's generally like this though because I never use IE at all unless I have to.

A few quick questions:

- Should I delete the two quarantined files in MBAM?

- There is a Windows update for me to install. Should I install these updates now?

- Does the the lameshield trojan provide backdoor access to my PC? I do a bit of banking on this PC so it's my biggest concern.

You've been a great help Maniac. If you're ever in Sydney, Australia I owe you a beer (or 10).

[Maniac]

When I used IE8 to run the ESET scanner I noticed it was very slow when loading any webpage. I'm not sure if it's generally like this though because I never use IE at all unless I have to.

This is a old version, my suggestion is to update it. It is a good idea to update it:

http://windows.microsoft.com/is-IS/windows-vista/Update-Internet-Explorer

- Should I delete the two quarantined files in MBAM?

No, it does not matter. Even those files remain in quarantine, it will not have any change.

- There is a Windows update for me to install. Should I install these updates now?

Absolutely. There probably have updates for Internet Explorer.

- Does the the lameshield trojan provide backdoor access to my PC? I do a bit of banking on this PC so it's my biggest concern.

Depends on the type, but I recommend you change all your passwords.

You've been a great help Maniac. If you're ever in Sydney, Australia I owe you a beer (or 10).

If I ever get there, I should buy you a drink.

[Unreasonable]

I've updated IE and installed the latest windows updates.

As my PC has been compromised and I use it for banking do you think it is worth reformatting, just to be safe?

[Maniac]

This is always the safest solution. If possible, I recommend it.

[Unreasonable]

Sweet. I'll reformat since it's the safest option.

Any tips on how to do this correctly in regard to removing all threats?

[Maniac]

Good article here:

http://ask-leo.com/how_do_i_safely_backup_an_infected_drive.html

[Unreasonable]

Thanks. Rather than reformatting and losing everything I decided that I'd use a different PC for banking (luckily I have an older one that was recently reformatted).

Just out of interest, was there anything in the logs that would give cause to believe that there was a backdoor?

Also, could it have actually have been a false positive?

[Maniac]

We found that your system is infected with the following:

Files Detected: 2
C:\Users\booboo\AppData\Local\Apps\2.0\Y4ZW095D.5NN\CJR9JJ1V.64H\clic...exe_f84b370c827b5c7a_0001.0002_none_c4007c683033ad2d\GoogleUpdateSetup.exe (Trojan.LameShield) -> No action taken.
C:\Users\booboo\AppData\Local\Apps\2.0\Y4ZW095D.5NN\CJR9JJ1V.64H\goog...app_f84b370c827b5c7a_0001.0002_3153a04d2ba1813d\GoogleUpdateSetup.exe (Trojan.LameShield) -> No action taken.

LameShield is a malicious Trojan horse which drops into computer with a help from other trojans, possibly backdoor type ones, which are able to open a secret “backdoor” connection to the infected computer to upload and execute malicious files. Once installed, LameShield Trojan tries to connect to remote servers to open a hidden remote access connection with cybercriminals to take control over the infected system.

[Unreasonable]

So not a false positive?

I saw this thread and it made me wonder as they seem like similar detections:

http://forums.malwarebytes.org/index.php?showtopic=116453

Also, my PC showed no signs of being infected (redirects, pop ups etc)

[Maniac]

No, it is not a false positive.

Glad everything is fine there!

• Download OTC to your desktop and run it
  
• Click Yes to beginning the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  

Now, please uninstall ESET Online Scanner and then manually delete Kaspersky AVP.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!