Sity Posted January 19, 2013 ID:636317 Share Posted January 19, 2013 Hey everyone, how's it going? I've been getting notifications from Symantec Endpoint Protection that my PC is infected with several Trojan.Gen.2's. SEP says that it quarantines that files, yet they keep coming back several times a day. I've run a full scan on both my internal and external hard drives with both SEP and Malwarebytes Anti Malware, and no threats come up when finished scanning. If anyone could help me out, I'd greatly appreciate it!- - - - - - -DDS (Ver_2012-11-20.01) - NTFS_AMD64Internet Explorer: 9.0.8112.16457Run by user at 21:34:38 on 2013-01-18Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4022.2431 [GMT -5:00].AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}.============== Running Processes ===============.C:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\ibmpmsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\System32\WUDFHost.exeC:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Windows\system32\AEADISRV.EXEC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exeC:\Windows\system32\DRIVERS\xaudio64.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\Dwm.exeC:\Windows\system32\taskhost.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Windows\Explorer.EXEC:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exeC:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exeC:\Windows\System32\igfxtray.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXEC:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program Files (x86)\Analog Devices\Core\smax4pnp.exeC:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\System32\cscript.exe.============== Pseudo HJT Report ===============.mWinlogon: Userinit = userinit.exeBHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLLBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLLuRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe"uRun: [AdobeBridge] <no file>mRun: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exemRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServicesmRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStartmRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRun: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"StartupFolder: C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXEuPolicies-Explorer: NoDriveTypeAutoRun = dword:145mPolicies-Explorer: NoActiveDesktop = dword:1mPolicies-Explorer: NoActiveDesktopChanges = dword:1mPolicies-System: ConsentPromptBehaviorAdmin = dword:0mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableLUA = dword:0mPolicies-System: EnableUIADesktopToggle = dword:0mPolicies-System: PromptOnSecureDesktop = dword:0IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dllTCP: NameServer = 75.75.75.75 75.75.76.76TCP: Interfaces\{3295997F-8222-49BB-A5AC-E74082266C69} : DHCPNameServer = 10.90.12.74 10.90.12.140TCP: Interfaces\{5EBC68F7-A642-4A9B-B15A-B9B9F114C149} : DHCPNameServer = 75.75.75.75 75.75.76.76TCP: Interfaces\{5EBC68F7-A642-4A9B-B15A-B9B9F114C149}\05279667164756142454 : DHCPNameServer = 10.90.12.74 10.90.12.140TCP: Interfaces\{5EBC68F7-A642-4A9B-B15A-B9B9F114C149}\05F6C6F6022557E6 : DHCPNameServer = 75.75.75.75 75.75.76.76TCP: Interfaces\{5EBC68F7-A642-4A9B-B15A-B9B9F114C149}\2435434403 : DHCPNameServer = 192.168.1.1 71.242.0.12TCP: Interfaces\{5EBC68F7-A642-4A9B-B15A-B9B9F114C149}\45F657368644F677E684562756 : DHCPNameServer = 192.168.1.1TCP: Interfaces\{5EBC68F7-A642-4A9B-B15A-B9B9F114C149}\C696E6B6379737 : DHCPNameServer = 10.1.10.1TCP: Interfaces\{5EBC68F7-A642-4A9B-B15A-B9B9F114C149}\C696E6B6379737F5355435F573537373 : DHCPNameServer = 75.75.75.75 75.75.76.76TCP: Interfaces\{5EBC68F7-A642-4A9B-B15A-B9B9F114C149}\F495844543 : DHCPNameServer = 192.168.1.1 71.242.0.12TCP: Interfaces\{AF9D1300-B966-4CD2-AF93-3D1D0DF7A7FE} : DHCPNameServer = 10.90.12.74 10.90.12.140Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLSSODL: WebCheck - <orphaned>SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLLx64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLLx64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLLx64-Run: [igfxTray] C:\Windows\System32\igfxtray.exex64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exex64-Run: [Persistence] C:\Windows\System32\igfxpers.exex64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exex64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dllx64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dllx64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLx64-Notify: igfxcui - igfxdev.dllx64-SSODL: WebCheck - <orphaned>x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLLHosts: 12.================= FIREFOX ===================.FF - ProfilePath - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\a0mimd43.default\FF - prefs.js: browser.search.selectedEngine - YouTube Video SearchFF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLLFF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLLFF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dllFF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll.============= SERVICES / DRIVERS ===============.R0 NBVol;Nero Backup Volume Filter Driver;C:\Windows\System32\drivers\NBVol.sys [2012-4-10 72240]R0 NBVolUp;Nero Backup Volume Upper Filter Driver;C:\Windows\System32\drivers\NBVolUp.sys [2012-4-10 15920]R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-1-1 398184]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-1-1 682344]R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2010-4-30 1822296]R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2006-12-21 300032]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-9 138912]R3 LenovoRd;LenovoRd;C:\Windows\System32\drivers\LenovoRd.sys [2009-5-11 118016]R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-1-1 24176]R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2012-10-1 121416]R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-4-9 20992]S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\System32\drivers\ssadbus.sys [2011-5-13 157672]S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\System32\drivers\ssadmdfl.sys [2011-5-13 16872]S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\System32\drivers\ssadmdm.sys [2011-5-13 177640]S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);C:\Windows\System32\drivers\ssadserd.sys [2011-5-13 146920]S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-4-9 59392]S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-9-28 1255736]S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464].=============== File Associations ===============.FileExt: .js: JSFile="E:\Graphic Design\Adobe Dreamweaver CS6\Adobe Dreamweaver CS6\Dreamweaver.exe","%1".=============== Created Last 30 ================.2013-01-08 20:51:38 750592 ----a-w- C:\Windows\System32\win32spl.dll2013-01-08 20:50:17 424448 ----a-w- C:\Windows\System32\KernelBase.dll2013-01-08 20:49:52 68608 ----a-w- C:\Windows\System32\taskhost.exe2013-01-08 20:49:50 3149824 ----a-w- C:\Windows\System32\win32k.sys2013-01-01 15:50:03 -------- d-----w- C:\Users\user\AppData\Roaming\Malwarebytes2013-01-01 15:49:42 -------- d-----w- C:\ProgramData\Malwarebytes2013-01-01 15:49:41 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys2013-01-01 15:49:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2013-01-01 15:49:20 -------- d-----w- C:\Users\user\AppData\Local\Programs2012-12-26 10:08:47 46080 ----a-w- C:\Windows\System32\atmlib.dll2012-12-26 10:08:47 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll2012-12-26 10:08:42 367616 ----a-w- C:\Windows\System32\atmfd.dll2012-12-26 10:08:39 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll.==================== Find3M ====================.2013-01-09 02:27:29 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2013-01-09 02:27:29 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll2012-11-20 05:48:49 307200 ----a-w- C:\Windows\System32\ncrypt.dll2012-11-20 04:51:09 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll2012-11-09 04:43:04 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll2012-11-01 05:43:42 2002432 ----a-w- C:\Windows\System32\msxml6.dll2012-11-01 05:43:42 1882624 ----a-w- C:\Windows\System32\msxml3.dll2012-11-01 04:47:54 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll2012-11-01 04:47:54 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll2012-10-25 08:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx2012-10-25 08:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts.============= FINISH: 21:35:18.11 ===============attach.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 19, 2013 ID:636324 Share Posted January 19, 2013 Welcome to the forum.Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.Continued use of filesharing or ill-advised downloads will surely re-infect your system.Risks of File-Sharing Technology.P2P file sharing: Know the risksIt's also against the forums policy concerning P2P programs:If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.Next.................Please download and run RogueKiller to your desktop.http://tigzy.geeksto...ueKillerX64.exe <----use this oneQuit all running programs.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system.When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrCPlease don't run any other scans, download, install or uninstall any programs while I'm working with you.Please stick with me until I give you the "all clear".------->Your topic will be closed if you haven't replied within 3 days!<--------(If I don't respond within 24 hours, please send me a PM) Link to post Share on other sites More sharing options...
Sity Posted January 19, 2013 Author ID:636326 Share Posted January 19, 2013 How exactly do I disable uTorrent? It hasn't been running on my system for a few weeks so I figured it was disabled Link to post Share on other sites More sharing options...
Sity Posted January 19, 2013 Author ID:636332 Share Posted January 19, 2013 Ok I double checked and uTorrent is in fact disabled (I use uTorrent because I'm a musician and use it as a way upload my songs for download). Here's the report from RogueKiller:- - - - - - -RogueKiller V8.4.3 _x64_ [Jan 10 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/Website : http://tigzy.geekstogo.com/roguekiller.phpBlog : http://tigzyrk.blogspot.com/Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : user [Admin rights]Mode : Scan -- Date : 01/18/2013 23:10:38¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 8 ¤¤¤[HJ] HKLM\[...]\Services\Microsoft\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ] HKLM\[...]\Wow6432Node\Services\Microsoft\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ] HKLM\[...]\Services\Microsoft\System : EnableLUA (0) -> FOUND[HJ] HKLM\[...]\Wow6432Node\Services\Microsoft\System : EnableLUA (0) -> FOUND[HJ DESK] HKCU\[...]\Services\Microsoft\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND[HJ DESK] HKCU\[...]\Services\Microsoft\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts127.0.0.1 192.150.14.69127.0.0.1 192.150.18.101127.0.0.1 192.150.18.108127.0.0.1 192.150.22.40127.0.0.1 192.150.8.100127.0.0.1 192.150.8.118127.0.0.1 209-34-83-73.ood.opsource.net127.0.0.1 3dns-1.adobe.com127.0.0.1 3dns-2.adobe.com127.0.0.1 3dns-2.adobe.com127.0.0.1 3dns-3.adobe.com127.0.0.1 3dns-3.adobe.com127.0.0.1 3dns-4.adobe.com127.0.0.1 3dns.adobe.com127.0.0.1 activate-sea.adobe.com127.0.0.1 activate-sea.adobe.com127.0.0.1 activate-sjc0.adobe.com127.0.0.1 activate-sjc0.adobe.com127.0.0.1 activate.adobe.com127.0.0.1 activate.adobe.com[...]¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: HITACHI HTS542580K9SA00 ATA Device +++++--- User ---[MBR] 810b29a6bfa054684505b7bcbf181ff1[bSP] 61652a4dcb8807ef7a120f147e8819d6 : Windows 7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76217 MoUser = LL1 ... OK!User = LL2 ... OK!+++++ PhysicalDrive1: Seagate Portable USB Device +++++--- User ---[MBR] 0974327c8e9b2134b4cdd5c443fe9d57[bSP] 378640292c221c7348cb68e5453433ec : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[1]_S_01182013_02d2310.txt >>RKreport[1]_S_01182013_02d2310.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 19, 2013 ID:636407 Share Posted January 19, 2013 Download Malwarebytes Anti-Rootkit from HEREUnzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txtTo attach a log if needed:Bottom right corner of this page.New window that comes up.~~~~~~~~~~~~~~~~~~~~~~~Note:If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:Internet accessWindows UpdateWindows FirewallIf there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.Verify that your system is now functioning normally.MrC Link to post Share on other sites More sharing options...
Sity Posted January 19, 2013 Author ID:636614 Share Posted January 19, 2013 Ok I ran Malwarebytes Anti-Rootkit three times. The first time it detected 173 threats, the second time only one, and the third time no threats were found. I've attached the logs for you to review.mbar-log-2013-01-19 (14-11-24).txtmbar-log-2013-01-19 (14-40-46).txtmbar-log-2013-01-19 (14-58-09).txtsystem-log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 19, 2013 ID:636625 Share Posted January 19, 2013 Well Done, lets run ComboFix to clear up any leftovers.Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingcomputer.com/combofix/how-to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed.Please include the C:\ComboFix.txt in your next reply for further review.---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Link to post Share on other sites More sharing options...
Sity Posted January 19, 2013 Author ID:636685 Share Posted January 19, 2013 Attached the log.ComboFix.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:636864 Share Posted January 20, 2013 Looks Good............Please download AdwCleaner from here and save it on your Desktop.AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.AdwCleaner is a tool that deletes :· Adwares (software ads)· PUP/LPI (Potentially Undesirable Program)· Toolbars· Hijacker (Hijack of the browser's homepage)It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.Now click on the Search tab.Please post the contents of the log-file created in your next post.Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.MrC Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:636966 Share Posted January 20, 2013 Log attachedAdwCleanerR1.txt Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:636980 Share Posted January 20, 2013 Nothing there to worry about.How's the computer running??---------------------------Lets check your computers security before you go and we have a little cleanup to do also:Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:636986 Share Posted January 20, 2013 Well today when I booted my machine, SEP started finding and quarantining a bunch of Trojan.Gen.2's again so I'm not sure what's going on. I haven't downloaded or installed anything, nor have I made any changes to my PC other than the ones you have instructed. Anyways, here is the log for Security Check: Results of screen317's Security Check version 0.99.57 Windows 7 Service Pack 1 x64 (UAC is disabled!) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Symantec Endpoint Protection WMI entry may not exist for antivirus; attempting automatic update.`````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.70.0.1100 Adobe Flash Player 11.5.502.146 Adobe Reader 10.1.5 Adobe Reader out of Date! Mozilla Firefox (18.0.1)````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 3%````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:636992 Share Posted January 20, 2013 Are you able to post a log from SEP??Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.Make sure that everything is checked, and click Remove Selected.MrC Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:637006 Share Posted January 20, 2013 I need some assistance with posting the SEP log. The logs save in either either .csv or .mdb format. I tried saving the log as a .txt file, but its all jumbled and disorganized when I open the file.I ran Malwarebytes Anti-Malware quick scan again and no threats came up. Here is the log:Malwarebytes Anti-Malware 1.70.0.1100www.malwarebytes.orgDatabase version: v2013.01.20.07Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421user :: USER-PC [administrator]1/20/2013 2:24:10 PMmbam-log-2013-01-20 (14-24-10).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 218691Time elapsed: 5 minute(s), 44 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637010 Share Posted January 20, 2013 OK, can you just tell me a couple of the files found and where they were found at, MrC Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:637015 Share Posted January 20, 2013 It seems like they're all coming from C:\Users\user\AppData\Local\Temp\ (I reviewed the log for the past 2 weeks and every single one of them has come from there). It literally will find hundreds in a matter of minutes.Here's a few of the most recent ones:DWHA204.tmp,Trojan.Gen.2,Quarantined,File,C:\Users\user\AppData\Local\Temp\,USER-PC,user,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,1/20/2013 2:22:36 PMDWHCA0E.tmp,Trojan.Gen.2,Quarantined,File,C:\Users\user\AppData\Local\Temp\,USER-PC,user,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,1/20/2013 2:22:37 PMDWHE01E.tmp,Trojan.Gen.2,Quarantined,File,C:\Users\user\AppData\Local\Temp\,USER-PC,user,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,1/20/2013 2:22:37 PMDWHFC18.tmp,Trojan.Gen.2,Quarantined,File,C:\Users\user\AppData\Local\Temp\,USER-PC,user,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,1/20/2013 2:22:37 PMDWH1054.tmp,Trojan.Gen.2,Quarantined,File,C:\Users\user\AppData\Local\Temp\,USER-PC,user,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,1/20/2013 2:22:43 PMDWH2819.tmp,Trojan.Gen.2,Quarantined,File,C:\Users\user\AppData\Local\Temp\,USER-PC,user,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,1/20/2013 2:22:53 PMDWH4D56.tmp,Trojan.Gen.2,Quarantined,File,C:\Users\user\AppData\Local\Temp\,USER-PC,user,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,1/20/2013 2:22:56 PMDWH5948.tmp,Trojan.Gen.2,Quarantined,File,C:\Users\user\AppData\Local\Temp\,USER-PC,user,Infected,Quarantine,Clean security risk,Quarantine,Auto-Protect scan,The file was quarantined successfully.,1/20/2013 2:23:01 PM Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637025 Share Posted January 20, 2013 Find one or two of those files in that folder:C:\Users\user\AppData\Local\Temp\and upload to VirusTotal for a free scan, let me know the results (just copy back the url)http://www.virustotal.com/MrC Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:637033 Share Posted January 20, 2013 https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1358711560/https://www.virustotal.com/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/analysis/1358711817/ Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637047 Share Posted January 20, 2013 That's very puzzling...... Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.MrC Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:637054 Share Posted January 20, 2013 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 4.4.6 (01.20.2013:1)OS: Windows 7 Ultimate x64Ran by user on Sun 01/20/2013 at 15:13:55.69~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry Values~~~ Registry Keys~~~ Files~~~ Folders~~~ FireFoxSuccessfully deleted: [File] C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\a0mimd43.default\searchplugins\youtube-video-search.xmlEmptied folder: C:\Users\user\AppData\Roaming\mozilla\firefox\profiles\a0mimd43.default\minidumps [45 files]~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Sun 01/20/2013 at 15:22:18.69End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637063 Share Posted January 20, 2013 Download TFC to your desktopClose any open windows.Double click the TFC icon to run the programTFC will close all open programs itself in order to run,Click the Start button to begin the process.Allow TFC to run uninterrupted.The program should not take long to finish it's jobOnce its finished it should automatically reboot your machine,if it doesn't, manually reboot to ensure a complete clean~~~~~~~~~~~~~~~~~~~~~Reboot and keep an eye on that temp folder and see if those files still keep appearing, MrC Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:637073 Share Posted January 20, 2013 Ok I ran TFC as instructed. I went to check C:\Users\user\AppData\Local\Temp\, and the folder no longer exists so I'm assuming that's a good sign? Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:637077 Share Posted January 20, 2013 ** EDIT **The folder does still exists. I guess at some point during the process, the "display hidden folders and files" option became unchecked. I checked the folder and the files don't seem to be there anymore. Link to post Share on other sites More sharing options...
MrCharlie Posted January 20, 2013 ID:637085 Share Posted January 20, 2013 OK, use it and let me know tomorrow, MrC Link to post Share on other sites More sharing options...
Sity Posted January 20, 2013 Author ID:637086 Share Posted January 20, 2013 Will do man! Thanks a bunch for your help. Link to post Share on other sites More sharing options...
Recommended Posts