Jump to content

Struggling to remove virus - not being detected

JRT723

By JRT723
in Resolved Malware Removal Logs

 Share

Recommended Posts

JRT723

JRT723

Posted
Posted

I am pretty close to certain that my computer is infected, but unfortunately MBAM doesn't seem to be picking it up. There is a folder called uggksyja in the username\appdata\roaming\Microsoft directory, which contains uggksyja.exe and a bunch of other files, .dll and .hoi. A google search had no results, so I'm assuming it's a randomly generated 8 letters.

Deleting the file obviously doesn't help, as it just comes back. The file frequently appears to be running in Task Manager, although once I end the process it doesn't usually restart until I restart the computer. I'm also getting the occasional taskeng.exe running when it shouldn't.

This culminated in a battle earlier this week when a selection of random internet explorer pages kept opening (not real pages, just random letters in the address bar with a "page not found" message).

MBAM still didn't detect anything. I tried both in and out of safe mode, as well as having used rkill beforehand to shut down any processes that might affect it. Nothing found.

Upon advice, I used MBAR, which DID detect a bunch of things including the annoying uggksyja thing, and I used MBAR to then remove it. I ran MBAR a further 2 times, and again in safe mode, and all came back clean. I immediately ran MBAM in safe mode (clean) and normal mode (clean) and I dared to hope that it was gone.

Sadly, it seems to have returned, and as it's still the same 8 random letters (uggksyja) I'm thinking I'm still infected, rather than having been reinfected.

This time around, MBAR isn't detecting anything. MBAM still isn't. Yet I'm certain I'm infected. Please help.

As requested in the instructions topic, I shall now paste the log from dds.com

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16537

Run by Jack at 17:05:40 on 2013-04-19

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8082.6185 [GMT 1:00]

.

AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\nvvsvc.exe

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k GPSvcGroup

C:\Program Files\HitmanPro\hmpsched.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\windows\system32\nvvsvc.exe

C:\windows\System32\spoolsv.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE

C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE

C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe

C:\Program Files\Intel\iCLS Client\HeciServer.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\ThpSrv.exe

C:\windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\TOSHIBA\TECO\TecoService.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\windows\System32\alg.exe

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\windows\system32\taskhost.exe

C:\Program Files\HitmanPro\HitmanPro.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\windows\system32\taskeng.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\TOSHIBA\TECO\Teco.exe

C:\Windows\System32\ThpSrv.exe

C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe

C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Users\Jack\AppData\Roaming\Microsoft\Uggksyja\uggksyja.exe

C:\Program Files\TOSHIBA\TECO\TecoHook.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe

C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe

C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvUseMng.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeBtMng.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosLeSrvProvider.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\windows\system32\spool\DRIVERS\x64\3\E_IATIHQE.EXE

C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Nero\Update\NASvc.exe

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\windows\system32\sppsvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe

C:\windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TEUA&bmod=TEUA

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Adblock IE: {667BEE43-20BD-4CE3-94AC-E63E04D4B191} - C:\Program Files (x86)\MGTEK\Adblock IE\adblockie.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

uRun: [Epson Stylus Photo PX730(Network)] "C:\Users\Jack\AppData\Roaming\Microsoft\Uggksyja\uggksyja.exe" /c C:\windows\System32\spool\DRIVERS\x64\3\E_IATIHQE.EXE /FU "C:\Users\Jack\AppData\Local\Temp\E_S4B87.tmp" /EF "HKCU"

uRun: [EPSON PX730 Series] "C:\Users\Jack\AppData\Roaming\Microsoft\Uggksyja\uggksyja.exe" /c C:\windows\System32\spool\DRIVERS\x64\3\E_IATIHQE.EXE /FU "C:\Users\Jack\AppData\Local\Temp\E_S6E5B.tmp" /EF "HKCU"

mRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [iTSecMng] C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

mRun: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun: [KeNotify] "C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe" LPCM

mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

mRun: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"

mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

dRun: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STARTUP

StartupFolder: C:\Users\Jack\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

TCP: NameServer = 192.168.1.254

TCP: Interfaces\{561D0B7E-A901-4B40-B20F-558E2CE98AF0} : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{561D0B7E-A901-4B40-B20F-558E2CE98AF0}\244575966496D277964786D264F4E4 : DHCPNameServer = 192.168.22.22 192.168.22.23

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Adblock IE: {667BEE43-20BD-4CE3-94AC-E63E04D4B191} - C:\Program Files\MGTEK\Adblock IE\adblockie.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll

x64-TB: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [sRS Premium Sound 3D] "C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe" /f="C:\Program Files\SRS Labs\SRS Control Panel\SRS_Premium_Sound_PS3D.zip" /h

x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r

x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe

x64-Run: [ThpSrv] C:\windows\System32\thpsrv /logon

x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe

x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe

x64-Run: [Toshiba TEMPRO] C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe

x64-Run: [Toshiba Registration] C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe

x64-Run: [igfxTray] C:\windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\windows\System32\igfxpers.exe

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\windows\System32\drivers\iusb3hcs.sys [2012-1-28 16152]

R0 NBVol;Nero Backup Volume Filter Driver;C:\windows\System32\drivers\NBVol.sys [2012-3-14 72240]

R0 NBVolUp;Nero Backup Volume Upper Filter Driver;C:\windows\System32\drivers\NBVolUp.sys [2012-3-14 15920]

R0 nvpciflt;nvpciflt;C:\windows\System32\drivers\nvpciflt.sys [2012-5-23 28992]

R1 avkmgr;avkmgr;C:\windows\System32\drivers\avkmgr.sys [2013-3-28 28600]

R2 avgntflt;avgntflt;C:\windows\System32\drivers\avgntflt.sys [2013-3-28 100712]

R3 CeKbFilter;CeKbFilter;C:\windows\System32\drivers\CeKbFilter.sys [2012-5-23 20592]

R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2011-12-6 331264]

R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\windows\System32\drivers\iusb3hub.sys [2012-1-28 356120]

R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\windows\System32\drivers\iusb3xhc.sys [2012-1-28 787736]

R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2012-9-24 25928]

R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2012-5-23 38096]

R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\windows\System32\drivers\RtsP2Stor.sys [2012-5-23 259176]

R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-5-23 677480]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtwlane.sys [2012-5-23 1082472]

R3 SmbDrv;SmbDrv;C:\windows\System32\drivers\Smb_driver.sys [2012-2-25 22800]

S3 hcwhdpvr;Hauppauge HD PVR Capture Device;C:\windows\System32\drivers\hcwhdpvr.sys [2012-9-4 191944]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2013-3-19 19456]

S3 RtkBtFilter;Realtek Bluetooth Filter Driver;C:\windows\System32\drivers\RtkBtfilter.sys [2012-1-5 21096]

.

=============== Created Last 30 ================

.

2013-04-19 16:05:07 32152 ----a-w- C:\windows\System32\drivers\hitmanpro37.sys

2013-04-19 15:03:16 257024 ----a-w- C:\Users\Jack\AppData\Roaming\Microsoft\Uggksyja\uggksyja.exe

2013-04-10 13:55:29 3153408 ----a-w- C:\windows\System32\win32k.sys

2013-04-10 13:55:28 1655656 ----a-w- C:\windows\System32\drivers\ntfs.sys

2013-04-10 13:55:27 223752 ----a-w- C:\windows\System32\drivers\fvevol.sys

2013-04-10 13:55:24 5550424 ----a-w- C:\windows\System32\ntoskrnl.exe

2013-04-10 13:55:23 3913560 ----a-w- C:\windows\SysWow64\ntoskrnl.exe

2013-04-10 13:55:22 6656 ----a-w- C:\windows\SysWow64\apisetschema.dll

2013-04-10 13:55:22 43520 ----a-w- C:\windows\System32\csrsrv.dll

2013-04-10 13:55:22 3968856 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe

2013-04-10 13:55:22 112640 ----a-w- C:\windows\System32\smss.exe

2013-04-07 23:26:09 -------- d-----w- C:\Program Files\MGTEK

2013-04-07 23:26:09 -------- d-----w- C:\Program Files\Common Files\MGTEK

2013-04-07 23:26:09 -------- d-----w- C:\Program Files (x86)\MGTEK

2013-04-07 23:26:09 -------- d-----w- C:\Program Files (x86)\Common Files\MGTEK

2013-04-07 23:24:32 -------- d-----w- C:\ProgramData\MGTEK

2013-04-06 13:29:59 25600 ----a-w- C:\Program Files (x86)\MSBuild\Firaxis\ModBuddy\ModBuddy.Civ5ModBuildTasks.dll

2013-04-06 13:29:59 142336 ----a-w- C:\Program Files (x86)\MSBuild\Firaxis\ModBuddy\SevenZipSharp.dll

2013-04-06 13:29:59 1223168 ----a-w- C:\Program Files (x86)\MSBuild\Firaxis\ModBuddy\7z.dll

2013-04-06 13:29:27 -------- d-----w- C:\Users\Jack\AppData\Roaming\Firaxis

2013-04-06 13:29:26 -------- d-----w- C:\Users\Jack\AppData\Local\Firaxis

2013-04-06 13:29:15 -------- d-----w- C:\Program Files\Microsoft Help Viewer

2013-04-06 13:28:59 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server

2013-04-06 13:28:52 84192 ----a-w- C:\ProgramData\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2013-04-06 13:27:59 -------- d-----w- C:\windows\SysWow64\1033

2013-04-06 13:27:32 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 10.0

2013-04-06 13:27:32 -------- d-----w- C:\Program Files (x86)\Common Files\Merge Modules

2013-04-01 00:56:01 -------- d-----w- C:\Users\Jack\New folder

2013-03-28 20:30:05 28600 ----a-w- C:\windows\System32\drivers\avkmgr.sys

2013-03-28 20:30:05 100712 ----a-w- C:\windows\System32\drivers\avgntflt.sys

2013-03-23 13:56:48 303616 ----a-w- C:\windows\System32\drivers\atksgt.sys

2013-03-23 13:56:23 35328 ----a-w- C:\windows\System32\drivers\lirsgt.sys

2013-03-23 13:54:23 -------- d-----w- C:\Nobilis

.

==================== Find3M ====================

.

2013-04-04 13:50:32 25928 ----a-w- C:\windows\System32\drivers\mbam.sys

2013-04-02 09:23:27 73432 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-04-02 09:23:27 693976 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe

2013-02-21 10:30:16 1766912 ----a-w- C:\windows\SysWow64\wininet.dll

2013-02-21 10:29:39 2877440 ----a-w- C:\windows\SysWow64\jscript9.dll

2013-02-21 10:29:37 61440 ----a-w- C:\windows\SysWow64\iesetup.dll

2013-02-21 10:29:37 109056 ----a-w- C:\windows\SysWow64\iesysprep.dll

2013-02-21 10:15:07 2240512 ----a-w- C:\windows\System32\wininet.dll

2013-02-21 10:14:09 3958784 ----a-w- C:\windows\System32\jscript9.dll

2013-02-21 10:14:05 67072 ----a-w- C:\windows\System32\iesetup.dll

2013-02-21 10:14:05 136704 ----a-w- C:\windows\System32\iesysprep.dll

2013-02-19 12:01:03 2706432 ----a-w- C:\windows\SysWow64\mshtml.tlb

2013-02-19 11:42:14 2706432 ----a-w- C:\windows\System32\mshtml.tlb

2013-02-19 11:10:53 71680 ----a-w- C:\windows\SysWow64\RegisterIEPKEYs.exe

2013-02-19 10:51:18 89600 ----a-w- C:\windows\System32\RegisterIEPKEYs.exe

2013-02-12 05:45:24 135168 ----a-w- C:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-02-12 05:45:22 350208 ----a-w- C:\windows\apppatch\AppPatch64\AcLayers.dll

2013-02-12 05:45:22 308736 ----a-w- C:\windows\apppatch\AppPatch64\AcGenral.dll

2013-02-12 05:45:22 111104 ----a-w- C:\windows\apppatch\AppPatch64\acspecfc.dll

2013-02-12 04:48:31 474112 ----a-w- C:\windows\apppatch\AcSpecfc.dll

2013-02-12 04:48:26 2176512 ----a-w- C:\windows\apppatch\AcGenral.dll

2013-02-12 04:12:05 19968 ----a-w- C:\windows\System32\drivers\usb8023.sys

.

============= FINISH: 17:09:09.17 ===============

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello JRT723 and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Please post the content of Attach.txt

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

  • Download on the desktop RogueKiller
  • Quit all programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished ...
  • Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • RogueKiller log

Link to post
Share on other sites
JRT723

JRT723

Posted
  • Author
Posted

Well, I don't know if a quick scan does things a full scan does not, or if you've done some magic upon viewing the logs, but while a full scan this afternoon detected nothing, this quick scan just detected three objects, including my latest arch-nemesis. Roguekiller detected nothing. Dare I hope that I am clean once again?

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.19.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16540

Jack :: JACK-TOSHIBA [administrator]

19/04/2013 17:31:51

mbam-log-2013-04-19 (17-31-51).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 245253

Time elapsed: 9 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Epson Stylus Photo PX730(Network) (Trojan.Agent.ED) -> Data: "C:\Users\Jack\AppData\Roaming\Microsoft\Uggksyja\uggksyja.exe" /c C:\windows\system32\spool\DRIVERS\x64\3\E_IATIHQE.EXE /FU "C:\Users\Jack\AppData\Local\Temp\E_S4B87.tmp" /EF "HKCU" -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|EPSON PX730 Series (Trojan.Agent.ED) -> Data: "C:\Users\Jack\AppData\Roaming\Microsoft\Uggksyja\uggksyja.exe" /c C:\windows\system32\spool\DRIVERS\x64\3\E_IATIHQE.EXE /FU "C:\Users\Jack\AppData\Local\Temp\E_S6E5B.tmp" /EF "HKCU" -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Jack\AppData\Roaming\Microsoft\Uggksyja\uggksyja.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.

(end)

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Jack [Admin rights]

Mode : Scan -- Date : 04/19/2013 17:50:43

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++

--- User ---

[MBR] 3692c52352a1c372fdade76e19671725

[bSP] ec64c0a04f8f2d92eae1f31e05342a8c : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 591890 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1215264768 | Size: 17089 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_04192013_02d1750.txt >>

RKreport[1]_S_04192013_02d1750.txt

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Probably is not due to this type of scan, but due to last updates. It seems in last updates they were added.

Looks good. :)

Please manually delete RogueKiller and DDS.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing! :)

Link to post
Share on other sites
JRT723

JRT723

Posted
  • Author
Posted

Many thanks for taking the time to help!

It's typical that I've been fighting this for a week, and yet as soon as I decide to bother somebody and beg for help, an update comes out that solves the problem in approximately 8 minutes!

Thanks again. :D

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.