Jump to content

IP Protection after trojan.download

Desmond

By Desmond
in Resolved Malware Removal Logs

 Share

Recommended Posts

Desmond

Desmond

Posted
Posted

Hi,

Just want to say thanks in advance and hope you can help me out.

Long story short, my brother was using my PC and decided to download some pirated program with a keygen from uTorrent (i guess you can see where this is going here).

Later when I got home from work I noticed that MBAM IP protection kept blocking IP's even when I was just typing out documents and not surfing nor connected to any P2P programs. When I asked him if he was messing around with my PC he said the keygen.exe turned out to be a Trojan.Downloaded which was caught by MBAM. According to him it was detected, quarantined and he then deleted it.

Did a full MBAM & SUPERAntiSpyware scan which came out fine as well as a Kaspersky 2010 scan but the problem seems to still persist.

Had an error initially upon opening TrendMicro Hijack This but managed to proceed with the scan and get the log files.

I'd appreciate it if you could help take a look and let me know if there are any critical problems. I have all my personal/banking info in this PC and after running the tests I've disconnected it from my network until further advice.

Please view the attached log files below:

Malwarebytes' Anti-Malware Log File

protection-log-2010-01-11

Malwarebytes' Anti-Malware Log File

protection-log-2010-01-11

09:39:27 Admin MESSAGE Protection started successfully

09:39:30 Admin MESSAGE IP Protection started successfully

12:17:41 Admin IP-BLOCK 85.159.233.233

12:17:41 Admin IP-BLOCK 85.159.233.233

12:17:51 Admin IP-BLOCK 85.159.233.233

12:18:31 Admin IP-BLOCK 81.177.23.68

12:18:31 Admin IP-BLOCK 81.177.23.68

12:18:41 Admin IP-BLOCK 81.177.23.68

12:20:41 Admin IP-BLOCK 67.212.76.141

12:20:51 Admin IP-BLOCK 67.212.76.141

12:20:51 Admin IP-BLOCK 67.212.76.141

12:38:12 Admin IP-BLOCK 58.241.182.30

12:55:23 Admin IP-BLOCK 121.8.21.125

12:57:13 Admin DETECTION I:\[RNL] Sothink SWF Decompiler v5.3 (Build 526)\Keygen.exe Trojan.Downloader QUARANTINE

12:57:13 Admin DETECTION I:\[RNL] Sothink SWF Decompiler v5.3 (Build 526)\Keygen.exe Trojan.Downloader DENY

12:57:13 Admin DETECTION I:\[RNL] Sothink SWF Decompiler v5.3 (Build 526)\Keygen.exe Trojan.Downloader DENY

13:07:34 Admin IP-BLOCK 95.211.12.140

13:07:34 Admin IP-BLOCK 95.211.12.140

13:07:34 Admin IP-BLOCK 95.211.12.140

13:07:34 Admin IP-BLOCK 95.211.12.140

13:07:34 Admin IP-BLOCK 95.211.12.140

13:07:34 Admin IP-BLOCK 95.211.12.140

13:17:05 Admin IP-BLOCK 218.8.50.172

13:24:45 Admin IP-BLOCK 195.161.25.83

13:25:25 Admin IP-BLOCK 221.5.8.115

13:42:57 Admin IP-BLOCK 221.5.8.115

13:55:17 Admin IP-BLOCK 222.76.58.171

13:56:38 Admin IP-BLOCK 89.28.82.81

13:57:28 Admin MESSAGE IP Protection stopped

13:57:30 Admin MESSAGE Database updated successfully

13:57:30 Admin MESSAGE IP Protection started successfully

13:59:30 Admin MESSAGE IP Protection stopped

13:59:30 Admin MESSAGE IP Protection started successfully

13:59:40 Admin MESSAGE IP Protection stopped

13:59:41 Admin MESSAGE IP Protection started successfully

14:10:41 Admin IP-BLOCK 89.28.121.75

14:26:22 Admin IP-BLOCK 195.161.7.66

14:26:53 Admin IP-BLOCK 89.149.244.89

14:41:04 Admin IP-BLOCK 220.248.163.155

14:41:14 Admin IP-BLOCK 218.9.8.11

14:41:35 Admin IP-BLOCK 58.240.247.205

14:41:45 Admin IP-BLOCK 222.71.207.218

14:48:55 Admin IP-BLOCK 222.70.207.223

14:55:16 Admin IP-BLOCK 94.96.23.27

15:13:49 Admin MESSAGE IP Protection stopped

15:13:49 Admin MESSAGE IP Protection started successfully

15:13:59 Admin MESSAGE IP Protection stopped

15:13:59 Admin MESSAGE IP Protection started successfully

15:38:22 Admin IP-BLOCK 69.31.86.66

15:38:22 Admin IP-BLOCK 69.31.86.66

15:38:32 Admin IP-BLOCK 69.31.86.66

15:38:42 Admin IP-BLOCK 204.124.182.119

15:38:42 Admin IP-BLOCK 222.186.88.34

15:38:42 Admin IP-BLOCK 204.124.182.119

15:38:52 Admin IP-BLOCK 204.124.182.119

15:39:03 Admin MESSAGE IP Protection stopped

15:39:04 Admin MESSAGE Added 204.124.182.119 to ignore list

15:39:18 Admin MESSAGE IP Protection started successfully

15:39:38 Admin MESSAGE IP Protection stopped

15:39:38 Admin MESSAGE IP Protection started successfully

15:48:59 Admin IP-BLOCK 58.241.131.199

15:49:19 Admin IP-BLOCK 58.241.131.199

15:49:19 Admin IP-BLOCK 58.241.131.199

15:55:10 Admin IP-BLOCK 220.189.253.38

15:55:10 Admin IP-BLOCK 222.65.130.18

16:04:10 Admin IP-BLOCK 94.96.222.217

16:06:00 Admin IP-BLOCK 221.5.8.115

16:08:20 Admin IP-BLOCK 221.5.8.115

16:10:11 Admin IP-BLOCK 218.10.214.242

16:10:21 Admin IP-BLOCK 194.165.0.74

16:16:21 Admin IP-BLOCK 221.5.8.115

16:26:02 Admin IP-BLOCK 222.69.26.139

16:27:02 Admin IP-BLOCK 203.93.208.44

16:36:23 Admin IP-BLOCK 94.75.209.225

16:36:23 Admin IP-BLOCK 94.75.209.225

16:36:33 Admin IP-BLOCK 94.75.209.225

16:40:53 Admin IP-BLOCK 222.71.151.105

16:41:24 Admin IP-BLOCK 89.28.44.41

16:49:14 Admin IP-BLOCK 94.96.41.148

16:51:05 Admin MESSAGE IP Protection stopped

16:51:05 Admin MESSAGE IP Protection started successfully

16:52:05 Admin MESSAGE IP Protection stopped

16:52:05 Admin MESSAGE IP Protection started successfully

16:55:25 Admin IP-BLOCK 222.70.214.235

16:55:25 Admin IP-BLOCK 121.11.48.23

17:03:36 Admin IP-BLOCK 94.96.196.122

17:09:26 Admin IP-BLOCK 58.240.253.5

17:10:57 Admin IP-BLOCK 94.96.72.40

17:13:47 Admin IP-BLOCK 221.5.8.115

17:39:28 Admin IP-BLOCK 89.28.43.65

17:40:28 Admin IP-BLOCK 67.212.92.224

17:40:38 Admin IP-BLOCK 89.28.8.131

17:54:59 Admin IP-BLOCK 94.96.24.137

18:08:19 Admin IP-BLOCK 222.186.31.228

18:10:30 Admin IP-BLOCK 89.28.113.13

18:24:20 Admin IP-BLOCK 218.10.235.118

18:24:50 Admin IP-BLOCK 218.9.156.210

19:35:54 Admin IP-BLOCK 94.96.72.207

20:37:54 Admin MESSAGE Protection started successfully

20:37:58 Admin MESSAGE IP Protection started successfully

20:58:54 Admin MESSAGE Protection started successfully

20:58:57 Admin MESSAGE IP Protection started successfully

23:21:14 Admin IP-BLOCK 213.174.141.71

23:21:24 Admin IP-BLOCK 213.174.141.71

23:21:24 Admin IP-BLOCK 213.174.141.71

23:27:14 Admin IP-BLOCK 213.174.149.211

23:27:24 Admin IP-BLOCK 213.174.149.211

23:27:24 Admin IP-BLOCK 213.174.149.211

23:27:44 Admin IP-BLOCK 213.174.149.211

23:27:44 Admin IP-BLOCK 213.174.149.211

23:27:54 Admin IP-BLOCK 213.174.149.211

23:28:25 Admin IP-BLOCK 95.211.112.147

23:28:25 Admin IP-BLOCK 95.211.112.147

23:28:35 Admin IP-BLOCK 95.211.112.147

23:29:45 Admin IP-BLOCK 213.174.149.211

23:29:45 Admin IP-BLOCK 213.174.149.211

23:29:52 Admin MESSAGE Added 213.174.149.211 to ignore list

23:29:55 Admin IP-BLOCK 213.174.149.211

23:29:55 Admin MESSAGE IP Protection stopped

23:29:55 Admin MESSAGE IP Protection started successfully

DDS.txt

DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86

Run by Admin at 10:46:36.99 on Tue 01/12/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3063.2027 [GMT 8:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\xampplite\apache\bin\httpd.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Input Director\IDWinService.exe

C:\Program Files\Input Director\InputDirectorSessionHelper.exe

C:\xampplite\mysql\bin\mysqld.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\xampplite\apache\bin\httpd.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe

C:\Program Files\Razer\Lachesis\razerhid.exe

C:\Program Files\Input Director\InputDirector.exe

C:\Program Files\Razer\Lachesis\OSD.exe

C:\Program Files\Input Director\IDVistaService.exe

C:\Program Files\Digsby\lib\digsby-app.exe

C:\Program Files\Razer\Lachesis\razerofa.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\Admin\Desktop\dds.scr

C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

uRun: [inputDirector] "c:\program files\input director\InputDirector.exe" /hide

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r

mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"

mRun: [Lachesis] c:\program files\razer\lachesis\razerhid.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 3 (0x3)

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: klogon - c:\windows\system32\klogon.dll

AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\o4y52qe6.default\

FF - prefs.js: browser.search.selectedEngine - Thesaurus - Reference.com

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll

FF - component: c:\users\admin\appdata\roaming\mozilla\firefox\profiles\o4y52qe6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll

FF - plugin: c:\program files\java\jre6\bin\npdeploytk.dll

FF - plugin: c:\program files\java\jre6\bin\npjpi160_17.dll

FF - plugin: c:\program files\java\jre6\bin\npoji610.dll

FF - plugin: c:\users\admin\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-5-15 21008]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]

R2 Apache2.2;Apache2.2;c:\xampplite\apache\bin\httpd.exe [2009-12-31 29416]

R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-5-25 303376]

R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-1-9 12672]

R2 InputDirector;Input Director Service;c:\program files\input director\IDWinService.exe [2009-6-19 32768]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-8 236368]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]

R3 IDVistaService;Input Director Vista Service;c:\program files\input director\IDVistaService.exe [2009-2-8 13824]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]

R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2009-12-4 12032]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-23 19160]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-19 249888]

R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-12-1 119296]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2002-1-1 1067008]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-1-11 16456]

S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-1-11 11088]

=============== Created Last 30 ================

2010-01-12 02:39:53 0 ----a-w- c:\users\admin\defogger_reenable

2010-01-11 12:30:53 585 ----a-w- c:\windows\pwnativedev.bak

2010-01-11 12:29:10 1352 ----a-w- c:\windows\pwcmdlist.bak

2010-01-11 12:09:16 461368 ----a-w- c:\windows\system32\pwNative.exe

2010-01-11 12:09:16 16456 ----a-w- c:\windows\system32\pwdrvio.sys

2010-01-11 12:09:16 11088 ----a-w- c:\windows\system32\pwdspio.sys

2010-01-11 11:15:56 0 d-----w- c:\programdata\Spybot - Search & Destroy

2010-01-11 08:27:26 0 d-----w- c:\program files\VirusTotalUploader2

2010-01-11 04:36:09 0 d-----w- c:\program files\uTorrent

2010-01-11 04:24:53 0 d-----w- c:\users\admin\appdata\roaming\uTorrent

2010-01-10 16:23:52 0 d-----w- c:\program files\Input Director

2010-01-10 13:09:09 0 d-----w- c:\users\admin\appdata\roaming\Malwarebytes

2010-01-10 13:00:38 0 d-----w- c:\users\admin\appdata\roaming\OpenOffice.org

2010-01-10 12:51:51 0 d-----r- C:\Sandbox

2010-01-10 08:09:57 0 d-----w- c:\windows\pss

2010-01-10 05:55:56 0 d-----w- c:\program files\SystemRequirementsLab

2010-01-10 05:20:13 0 d-----w- c:\programdata\Innovative Solutions

2010-01-10 03:03:56 0 d-----w- c:\users\admin\appdata\roaming\GlarySoft

2010-01-10 02:57:48 0 d-----w- c:\program files\Glary Utilities

2010-01-10 02:09:55 33 ----a-w- c:\users\admin\.gtkrc-2.0

2010-01-08 19:56:17 773120 ----a-w- c:\windows\system32\NEROINSTAEC43759.DB

2010-01-08 19:56:17 1414440 ----a-w- c:\windows\system32\ShellManager310E2D762.dll

2010-01-08 19:49:06 0 d-----w- c:\users\admin\appdata\roaming\KC Softwares

2010-01-08 19:43:16 0 d-----w- c:\program files\KC Softwares

2010-01-08 19:42:53 1882 ----a-w- c:\windows\Sandboxie.ini

2010-01-08 19:42:45 0 d-----w- c:\program files\Sandboxie

2010-01-08 19:42:07 0 d-----w- c:\program files\Trend Micro

2010-01-08 19:41:55 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys

2010-01-08 19:41:55 0 d-----w- c:\program files\CPUID

2010-01-08 19:38:56 0 d-----w- c:\programdata\SUPERAntiSpyware.com

2010-01-08 19:38:39 0 d-----w- c:\users\admin\appdata\roaming\SUPERAntiSpyware.com

2010-01-08 19:38:39 0 d-----w- c:\program files\SUPERAntiSpyware

2010-01-08 18:05:12 0 d-----w- c:\program files\Secunia

2010-01-08 17:23:04 0 d-----w- c:\users\admin\appdata\roaming\Digsby

2010-01-08 17:23:04 0 d-----w- c:\programdata\Digsby

2010-01-08 17:21:22 0 d-----w- c:\program files\Digsby

2010-01-08 16:16:50 0 d-----w- c:\users\admin\appdata\roaming\Stardock

2010-01-08 16:16:48 0 dc-h--w- c:\programdata\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}

2010-01-08 16:16:47 0 d-----w- c:\program files\Stardock

2010-01-08 15:35:22 0 d-----w- c:\users\admin\appdata\roaming\XnView

2010-01-08 15:31:15 0 d-----w- c:\program files\XnView

2010-01-08 15:31:03 0 d-----w- c:\program files\CCleaner

2010-01-08 15:31:02 0 d-----w- c:\program files\VS Revo Group

2010-01-08 15:02:28 0 d-----w- c:\users\admin\appdata\roaming\GoodSync

2010-01-08 14:48:51 0 d-----w- c:\users\admin\appdata\roaming\Jarte

2010-01-08 14:45:07 2370766 ----a-w- c:\users\admin\Migrated Documents Report.csv

2010-01-08 13:26:00 0 d-----w- c:\users\admin\appdata\roaming\Razer

2010-01-08 02:53:39 0 d-----w- c:\program files\Jarte

2009-12-30 22:54:23 0 d---a-w- C:\xampplite

2009-12-22 04:15:09 0 d-----w- c:\program files\JoseNet

2009-12-21 12:30:01 0 d-----w- c:\program files\Windows Live Writer

2009-12-21 11:06:06 0 d-----w- c:\users\admin\appdata\roaming\Windows Live Writer

2009-12-19 01:11:38 249888 ----a-w- c:\windows\system32\drivers\Rt86win7.sys

2009-12-17 02:08:22 0 d-----w- c:\programdata\McAfee

2009-12-16 02:47:24 0 d-----w- c:\programdata\McAfee Security Scan

==================== Find3M ====================

2010-01-07 08:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 08:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-03 01:27:28 80416 ----a-w- c:\windows\system32\RtNicProp32.dll

2009-12-03 01:27:28 100896 ----a-w- c:\windows\system32\RTNUninst32.dll

2009-11-02 12:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:22:37 2048 ----a-w- c:\windows\system32\tzres.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2002-01-01 11:28:06 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

2002-01-01 11:22:57 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 10:47:02.48 ===============

DDS/GMER Log Files

Attach.zip

Trend Micro HijackThis v2.0.2

Initial error upon opening the program.

(Just installed and opened it for the first time)

post-29554-1263268818_thumb.png

Logfile of Trend Micro HijackThis v2.0.2

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:55:34 AM, on 1/12/2010

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe

C:\Program Files\Razer\Lachesis\razerhid.exe

C:\Program Files\Input Director\InputDirector.exe

C:\Program Files\Razer\Lachesis\OSD.exe

C:\Program Files\Razer\Lachesis\razerofa.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Siber Systems\GoodSync\GoodSync.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"

O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe

O4 - HKCU\..\Run: [inputDirector] "C:\Program Files\Input Director\InputDirector.exe" /hide

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Global Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll

O13 - Gopher Prefix:

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll

O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampplite\apache\bin\httpd.exe

O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe

O23 - Service: Input Director Vista Service (IDVistaService) - Unknown owner - C:\Program Files\Input Director\IDVistaService.exe

O23 - Service: Input Director Service (InputDirector) - Unknown owner - C:\Program Files\Input Director\IDWinService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: MySQL - MySQL AB - C:\xampplite\mysql\bin\mysqld.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--

End of file - 6959 bytes

Please let me know if it looks OK and if there is any other information which you may need.

Again, many thanks.

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.