Jump to content

Malwarebytes picked up a trojan - how can I be sure it's gone?


Recommended Posts

Hello,

 

I have just finished doing my bi-weekly quick scan on Malwarebytes when a trojan popped up - "Trojan.PWS.Zbot" from a file in my recycle bin called "AudioTest.exe." I quarantined it immediately, but now I'm wondering if it's gone completely.

 

I have no clue how I received it. This laptop, a Samsung, is barely two months old and I rarely check my email on my computer. I have only downloaded programs from trusted companies - no music downloads, torrents, attachments from sketchy emails... nothing like that. I use AdBlock and only one pop-up has magically opened since this laptop was purchased. I also don't understand how it ended up in my recycle bin if I didn't even know there was anything on here called AudioTest.exe.

 

Here is the log; I'm not sure if I've posted it properly. It's really late, I'm tired and stressed out due to this trojan, so I apologize if I haven't posted this correctly. I just want to make sure it's gone forever and there aren't any traces left of it on the laptop. Thanks in advance!

 

------------

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.06.01
 
Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16688
Sammy :: SAMMY [limited]
 
10/06/13 1:34:59 AM
mbam-log-2013-10-06 (01-34-59).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223798
Time elapsed: 3 minute(s), 29 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\$Recycle.Bin\S-1-5-18\$RKFVFFD\AudioTest.exe (Trojan.PWS.Zbot.AI) -> Quarantined and deleted successfully.
 
(end)
Link to post
Share on other sites

Hello ih8viruses and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Please follow the instructions here and then post the log files in your next reply.

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Here is DDS.txt

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16688
Run by Sammy at 10:18:55 on 2013-10-06
Microsoft Windows 8  6.2.9200.0.1252.2.1033.18.7894.6214 [GMT -6:00]
.
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
C:\windows\system32\dashost.exe
C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\windows\system32\lxdxcoms.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe
C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\dwm.exe
C:\windows\system32\msiexec.exe
C:\windows\system32\taskhostex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\windows\Explorer.EXE
C:\windows\system32\igfxext.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files (x86)\Samsung\Settings\sSettings.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe
C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Samsung\S Agent\CommonAgent.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\taskhost.exe
C:\Program Files\Samsung\Support Center\GuaranaAgent.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ips\ipsbho.dll
mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
mRun: [CLMLServer_For_P2G8] "C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe"
mRun: [CLVirtualDrive] "C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" /R
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [intel AppUp(SM) center] "C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe" --domain-id F0399437-FD0C-4A48-B101-F0314A6172E4
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mPolicies-System: DisableCAD = dword:1
TCP: NameServer = 64.59.176.15 64.59.177.227
TCP: Interfaces\{F80B304C-FF08-402F-94C4-8B0CE051BC2B} : DHCPNameServer = 64.59.176.15 64.59.177.227
TCP: Interfaces\{F80B304C-FF08-402F-94C4-8B0CE051BC2B}\14D6075646F53525 : DHCPNameServer = 192.168.1.100
TCP: Interfaces\{F80B304C-FF08-402F-94C4-8B0CE051BC2B}\A425F636 : DHCPNameServer = 64.59.176.15 64.59.177.227
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\SysWow64\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [btTray] "C:\Program Files (x86)\Bluetooth Suite\BtTray.exe"
x64-Run: [btvStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe"
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [bitcasa] C:\Program Files\Bitcasa\Bitcasa.exe /startup
x64-Run: [igfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [lxdxmon.exe] "C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe"
x64-Run: [EzPrint] "C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe"
x64-mPolicies-System: DisableCAD = dword:1
x64-IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\System32\CbFsMntNtf3.dll
x64-STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\System32\CbFsMntNtf3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\windows\System32\Drivers\iaStorA.sys [2013-1-9 645952]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\Drivers\PxHlpa64.sys [2013-1-9 56336]
R1 cbfs3;cbfs3;C:\windows\System32\Drivers\cbfs3.sys [2013-1-9 352456]
R1 ccSet_NARA;NARA Settings Manager;C:\windows\System32\Drivers\NARAx64\0401000.00E\ccSetx64.sys [2013-1-9 168608]
R1 CLVirtualDrive;CLVirtualDrive;C:\windows\System32\Drivers\CLVirtualDrive.sys [2013-1-9 92536]
R2 AdobeActiveFileMonitor11.0;Adobe Active File Monitor V11;C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [2012-11-5 171664]
R2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Bluetooth Suite\AdminService.exe [2012-10-31 231040]
R2 Easy Launcher;Easy Launcher;C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe [2012-11-30 1591176]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-19 635104]
R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2013-1-9 128896]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-1-9 165760]
R2 lxdx_device;lxdx_device;C:\windows\System32\lxdxcoms.exe -service --> C:\windows\System32\lxdxcoms.exe -service [?]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccsvchst.exe [2013-8-6 144368]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2012-8-14 3943104]
R2 SWUpdateService;SW Update Service;C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe [2012-12-21 2878152]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-1-9 364416]
R2 ZAtheros Bt and Wlan Coex Agent;ZAtheros Bt and Wlan Coex Agent;C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [2012-10-31 323584]
R3 AthBTPort;Qualcomm Atheros Virtual Bluetooth Class;C:\windows\System32\Drivers\btath_flt.sys [2013-1-9 88728]
R3 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130924.001\BHDrvx64.sys [2013-9-23 1525848]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\windows\System32\Drivers\btath_a2dp.sys [2013-1-9 344216]
R3 btath_avdt;Qualcomm Atheros Bluetooth AVDT Service;C:\windows\System32\Drivers\btath_avdt.sys [2013-1-9 114840]
R3 BTATH_BUS;Qualcomm Atheros Bluetooth Bus;C:\windows\System32\Drivers\btath_bus.sys [2013-1-9 33944]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\windows\System32\Drivers\btath_hcrp.sys [2013-1-9 178840]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\windows\System32\Drivers\btath_lwflt.sys [2013-1-9 76952]
R3 BTATH_RCP;Bluetooth AVRCP Device;C:\windows\System32\Drivers\btath_rcp.sys [2013-1-9 135832]
R3 BtFilter;BtFilter;C:\windows\System32\Drivers\btfilter.sys [2013-1-9 576152]
R3 BthLEEnum;Bluetooth Low Energy Driver;C:\windows\System32\Drivers\BthLEEnum.sys [2012-7-25 202752]
R3 ccSet_NIS;Norton Internet Security Settings Manager;C:\windows\System32\Drivers\NISx64\1404000.028\ccsetx64.sys [2013-8-6 169048]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-8-27 140376]
R3 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20131004.001\IDSviA64.sys [2013-10-4 520280]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\Drivers\IntcDAud.sys [2012-6-18 342528]
R3 RadioHIDMini;Radio HID Mini-driver;C:\windows\System32\Drivers\RadioHIDMini.sys [2012-11-13 23408]
R3 RTL8168;Realtek 8168 NT Driver;C:\windows\System32\Drivers\Rt630x64.sys [2013-1-9 719504]
R3 SymDS;Symantec Data Store;C:\windows\System32\Drivers\NISx64\1404000.028\symds64.sys [2013-8-6 493656]
R3 SymEFA;Symantec Extended File Attributes;C:\windows\System32\Drivers\NISx64\1404000.028\symefa64.sys [2013-8-6 1139800]
R3 SymIRON;Symantec Iron Driver;C:\windows\System32\Drivers\NISx64\1404000.028\ironx64.sys [2013-8-6 224416]
R3 SymNetS;Symantec Network Security WFP Driver;C:\windows\System32\Drivers\NISx64\1404000.028\symnets.sys [2013-8-6 433752]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;C:\windows\System32\spool\drivers\x64\3\lxdxserv.exe [2013-8-12 29184]
S4 SymELAM;Symantec ELAM Driver;C:\windows\System32\Drivers\NISx64\1404000.028\symelam.sys [2013-8-6 23448]
.
=============== Created Last 30 ================
.
2013-09-21 23:04:13 -------- d-----w- C:\Users\Sammy\AppData\Roaming\gramps
2013-09-21 23:01:42 -------- d-----w- C:\Program Files\GrampsAIO64
.
==================== Find3M  ====================
.
2013-09-18 23:26:35 78296 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-18 23:26:35 694232 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2013-08-21 04:12:06 2241024 ----a-w- C:\windows\System32\wininet.dll
2013-08-21 04:11:59 915968 ----a-w- C:\windows\System32\uxtheme.dll
2013-08-21 04:11:59 53760 ----a-w- C:\windows\System32\UXInit.dll
2013-08-21 04:11:07 3959296 ----a-w- C:\windows\System32\jscript9.dll
2013-08-21 04:11:04 67072 ----a-w- C:\windows\System32\iesetup.dll
2013-08-21 04:11:04 136704 ----a-w- C:\windows\System32\iesysprep.dll
2013-08-21 02:34:51 2706432 ----a-w- C:\windows\System32\mshtml.tlb
2013-08-21 02:06:11 1767936 ----a-w- C:\windows\SysWow64\wininet.dll
2013-08-21 02:06:06 44032 ----a-w- C:\windows\SysWow64\UXInit.dll
2013-08-21 02:05:28 2876928 ----a-w- C:\windows\SysWow64\jscript9.dll
2013-08-21 02:05:25 61440 ----a-w- C:\windows\SysWow64\iesetup.dll
2013-08-21 02:05:25 109056 ----a-w- C:\windows\SysWow64\iesysprep.dll
2013-08-21 01:43:54 2706432 ----a-w- C:\windows\SysWow64\mshtml.tlb
2013-08-20 23:52:56 534528 ----a-w- C:\windows\SysWow64\uxtheme.dll
2013-08-16 05:41:13 58200 ----a-w- C:\windows\System32\drivers\dam.sys
2013-08-16 05:39:26 2371728 ----a-w- C:\windows\System32\WSService.dll
2013-08-16 05:32:48 209200 ----a-w- C:\windows\System32\NotificationUI.exe
2013-08-16 05:22:22 40448 ----a-w- C:\windows\System32\wuapp.exe
2013-08-16 05:22:11 4917760 ----a-w- C:\windows\System32\sppsvc.exe
2013-08-16 05:20:30 105984 ----a-w- C:\windows\System32\WinSetupUI.dll
2013-08-15 22:43:21 35328 ----a-w- C:\windows\SysWow64\wuapp.exe
2013-08-15 22:43:07 84992 ----a-w- C:\windows\SysWow64\wudriver.dll
2013-08-15 22:43:07 126976 ----a-w- C:\windows\SysWow64\wuwebv.dll
2013-08-15 22:43:03 562688 ----a-w- C:\windows\SysWow64\WSShared.dll
2013-08-15 22:43:03 159232 ----a-w- C:\windows\SysWow64\WSSync.dll
2013-08-15 22:43:02 83968 ----a-w- C:\windows\SysWow64\OEMLicense.dll
2013-08-15 22:43:02 167424 ----a-w- C:\windows\SysWow64\WSClient.dll
2013-08-15 22:43:02 143872 ----a-w- C:\windows\SysWow64\Windows.ApplicationModel.Store.dll
2013-08-15 22:43:02 124928 ----a-w- C:\windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
2013-08-15 22:42:52 76800 ----a-w- C:\windows\SysWow64\setupcln.dll
2013-08-15 22:42:47 91648 ----a-w- C:\windows\SysWow64\sppc.dll
2013-08-06 08:22:40 177312 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2013-08-03 04:30:14 4038144 ----a-w- C:\windows\System32\win32k.sys
2013-07-13 06:18:21 337408 ----a-w- C:\windows\System32\wintrust.dll
2013-07-13 06:16:06 68096 ----a-w- C:\windows\System32\cryptsvc.dll
2013-07-13 06:16:06 1889280 ----a-w- C:\windows\System32\crypt32.dll
2013-07-13 06:15:53 98304 ----a-w- C:\windows\System32\apprepsync.dll
2013-07-13 06:15:53 124416 ----a-w- C:\windows\System32\apprepapi.dll
2013-07-13 04:24:58 261120 ----a-w- C:\windows\SysWow64\wintrust.dll
2013-07-13 04:23:11 1568256 ----a-w- C:\windows\SysWow64\crypt32.dll
2013-07-13 04:23:03 87040 ----a-w- C:\windows\SysWow64\apprepapi.dll
2013-07-13 04:23:03 74240 ----a-w- C:\windows\SysWow64\apprepsync.dll
2013-07-09 08:04:07 120144 ----a-w- C:\windows\System32\drivers\msgpioclx.sys
2013-07-09 06:18:21 439488 ----a-w- C:\windows\System32\WerFault.exe
2013-07-09 06:07:17 2233168 ----a-w- C:\windows\System32\drivers\tcpip.sys
2013-07-09 04:25:45 385768 ----a-w- C:\windows\SysWow64\WerFault.exe
2013-07-09 03:57:19 245760 ----a-w- C:\windows\SysWow64\LocationApi.dll
2013-07-08 22:46:00 543744 ----a-w- C:\windows\System32\wwanmm.dll
2013-07-08 22:46:00 414208 ----a-w- C:\windows\System32\wwanconn.dll
2013-07-08 22:46:00 370688 ----a-w- C:\windows\System32\Wwanadvui.dll
2013-07-08 22:45:16 312832 ----a-w- C:\windows\System32\LocationApi.dll
.
============= FINISH: 10:19:31.03 ===============
Link to post
Share on other sites

Attach.txt - the other website said don't pay attention to zipping it, so I'll just post it here:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 8
Boot Device: \Device\HarddiskVolume2
Install Date: 8/05/13 3:32:51 PM
System Uptime: 10/06/13 1:39:40 AM (9 hours ago)
.
Motherboard: SAMSUNG ELECTRONICS CO., LTD. |  | NP300E5E-A06CA
Processor: Intel® Core i3-3120M CPU @ 2.50GHz | CPU Socket - U3E1 | 2500/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 677 GiB total, 592.728 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP9: 9/18/13 5:23:32 PM - Scheduled Checkpoint
RP10: 9/25/13 4:11:32 PM - Windows Update
RP11: 10/06/13 1:22:13 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Adobe Photoshop Elements 11
Adobe Reader X (10.1.3) MUI
Bitcasa version 0.9.20.4133
CyberLink Power2Go 8
CyberLink PowerDVD 10
D-Fend Reloaded 1.3.3 (deinstall)
D3DX10
E-POP
Easy File Share
Elements 11 Organizer
FamilySearch Indexing 3.19.3
Galerie de photos
Galería de fotos
Google Chrome
Google Update Helper
GrampsAIO64
Help Desk
Intel AppUp(SM) center
Intel® Manageability Engine Firmware Recovery Agent
Intel® Management Engine Components
Intel® Processor Graphics
Intel® Rapid Storage Technology
Intel® SDK for OpenCL - CPU Only Runtime Package
Intel® Trusted Connect Service Client
Lexmark 3600-4600 Series
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Application Error Reporting
Microsoft Office
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Movie Maker
MSVCRT
MSVCRT110
MSVCRT110_amd64
Norton Internet Security
Norton Online Backup
Norton Online Backup ARA
Photo Common
Photo Gallery
Plants vs. Zombies
PSE11 STI Installer
Qualcomm Atheros Bluetooth Suite (64)
Qualcomm Atheros Client Installation Program
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
Recovery
S Agent
Settings
Stellarium 0.12.2
Support Center
Support Center FAQ
SW Update
Synaptics Pointing Device Driver
Trillian
User Guide
VLC media player 2.0.8
Windows Live
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Zip Motion Block Video codec (Remove Only)
.
==== Event Viewer Messages From Past Week ========
.
10/06/13 1:40:12 AM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the lxdxCATSCustConnectService service to connect.
10/06/13 1:40:12 AM, Error: Service Control Manager [7000]  - The lxdxCATSCustConnectService service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
10/04/13 12:27:27 PM, Error: Service Control Manager [7034]  - The lxdx_device service terminated unexpectedly.  It has done this 1 time(s).
10/01/13 8:33:36 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {B77C4C36-0154-4C52-AB49-FAA03837E47F}  and APPID  {EA022610-0748-4C24-B229-6C507EBDFDBB}  to the user Sammy\Sammy SID (S-1-5-21-275444049-347170542-1178166326-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
10/01/13 8:33:36 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {A188DB29-2ABC-46CB-9A38-40B82CF5D051}  and APPID  {EA022610-0748-4C24-B229-6C507EBDFDBB}  to the user Sammy\Sammy SID (S-1-5-21-275444049-347170542-1178166326-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
.
==== End Of File ===========================
Link to post
Share on other sites

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

  • Download on the desktop RogueKiller
  • Quit all programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished ...
  • Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.
Note: Don't fix anything without my instructions

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • RogueKiller log
Link to post
Share on other sites

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.10.06.03

 

Windows 8 x64 NTFS

Internet Explorer 10.0.9200.16688

Sammy :: SAMMY [limited]

 

10/06/13 10:34:16 AM

mbam-log-2013-10-06 (10-34-16).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 223947

Time elapsed: 2 minute(s), 53 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

----------------------------------------------------------------

 


RogueKiller V8.7.1 [Oct  3 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com




 

Operating System : Windows 8 (6.2.9200 ) 64 bits version

Started in : Normal mode

User : Sammy [Admin rights]

Mode : Remove -- Date : 10/06/2013 10:43:11

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - ST750LM022 HN-M750MBB +++++

--- User ---

[MBR] 84c715495513ceb40e77ef002daedf3d

[bSP] 53236564fceea3158d55668e62010107 : Empty MBR Code

Partition table:

0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

Finished : << RKreport[0]_D_10062013_104311.txt >>

RKreport[0]_S_10062013_104223.txt

Link to post
Share on other sites

ismyvirusgone - interesting! I've done two quick scans and a full scan since the initial detection, and like you, nothing has popped up since then. Do you use AdBlock too?

 

I guess I was wrong in my initial post - my last scan was on September 26, so this AudioTest thing must've happened between then and this morning. The only things I have downloaded since the 26th and today were some photos from a very well-known website. I really hope it's a false positive...

Link to post
Share on other sites

Okay, it gets even weirder: I have RES and am a regular Redditor. I hope it's not against the rules here to brainstorm with other people who have viruses, but I have heard of people getting viruses through Imgur links (though I have no clue if it was through the ads), so I wonder if that's a possibility, or a false positive related to new Samsungs, or just a really strange coincidence. I should also add that I updated Malwarebytes right before it picked up the trojan during my quick scan.

Link to post
Share on other sites

It's a Samsung Series 3 NP300E5E-A05CA. The internet likes to randomly disconnect whenever I'm on it (and it has done that since it was nearly brand new), so if that was a symptom of this virus, I wouldn't have noticed it. Other than that, everything else has been acting completely normal.

 

I just went through my Chrome history and found something that could be the culprit. In my first post, I mentioned that only one pop-up has appeared since I bought this computer. Someone sent me a link to one of those free tv viewing websites (they live overseas and wanted to show me a new tv show). I'm normally very cautious about what links I click, but I did click on it, and a pop-up appeared, despite having AdBlock. I closed it before it even loaded properly so I don't know what it said. The thing is, that was on September 27 - the day after my last Malwarebytes scan. Just thinking out loud here!

Link to post
Share on other sites

Hello, sorry for the delay in responding. I have done a few more scans with Malwarebytes after it removed the trojan and it still says my computer is clean. I didn't think it would be that easy to remove a trojan, but I hope Malwarebytes is right and that it really was removed completely from my computer.

Link to post
Share on other sites

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.