Jump to content

MBAM removed the trojan (mostly)


Recommended Posts

I got my first virus/trojan today. MSSE noticed it first, and said it's removal was successful, but far from it. I tried ESET Nod32, and that didn't even see the virus. Then I tried AVG's DOS boot CD, which has networking, and it started up, downloaded it's latest defs, scans the system ... finds nothing. Useless. Superantispyware ... same thing, doesn't even see the malware. ProcessExplorer doesn't show a recognizable process for it.

So after googling a bit more, I find out about MBAM and give it a try. Sure enough, the free version found the whole thing, and it's variants in my HD. I forget the name of the trojan, but I know it puts an xXx.xXx and uUu.uUu files into my users/me/local/temp directory, and the xxx one cannot be killed.

So I let MBAM do it's thing, it reboots and finishes the job. It says the bad stuff is all gone. Now, before I removed it, I noticed very strange behavior in Firefox (3.6.3), sometimes I was prevented from surfing at all. Other times, I'd get a popup saying "Firefox has stopped working", it also seemed to be trying to intercept my downloads.

Later, after MBAM finishes, I open Firefox again and MBAM pops up and tells me that xxx.xxx is attempting to load, and has been stopped. I click Quarantine. so i figure the bloody thing is still hiding somewhere. I disable SystemRestore, and reboot into SafeMode, and let MBAM scan the HD's. It finds nothing at all.

I reboot again, all seems well. Odd, random lettered exe's are no longer showing in MSConfig's startup area. the xxx.xxx and uuu.uuu files are no longer present in the temp folder. Good so far. Until ...

I start Firefox ... and once again, MBAM intercepts xxx.xxx and keeps it from starting. So clearly, this trojan is somehow hooked into Firefox. So I need some advice about what I should do next. Of course, I'm trying to avoid a full system re-install. It would take me a solid week to get things back to the way they are now.

Thanks

reports follow. DDS.txt report: ok, attach.text: ok, GMER: would not run: small screenshot in zip.

Here's the DDS.txt report:

DDS (Ver_10-03-17.01) - NTFSX64

Run by Jeff at 15:30:59.71 on Fri 04/16/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6142.4705 [GMT

-4:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Applications\Hardware\nHancer\nHancerService.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Applications\Video\FRAPS\fraps.exe

C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe

C:\Applications\Tools\Disk\O&O Defrag\oodag.exe

C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe

C:\Applications\Tools\Disk\Macrium Reflect\ReflectService.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

C:\Applications\Hardware\Logitech Setpoint-64\SetPointP\SetPoint.exe

C:\Users\Jeff\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Applications\Tools\Security\Malwarebytes\mbamgui.exe

C:\Applications\Hardware\MSI Afterburner\MSIAfterburner.exe

C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe

C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Applications\Video\FRAPS\fraps64.dat

C:\Program Files\Windows Media Player\WMPSideShowGadget.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

C:\Windows\system32\taskhost.exe

C:\Applications\Tools\Security\Malwarebytes\mbamservice.exe

C:\Applications\Internet\Firefox\firefox.exe

C:\Applications\Text\Notepad++\notepad++.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Jeff\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

mLocal Page = c:\windows\syswow64\blank.htm

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} -

c:\program files (x86)\common files\microsoft shared\windows live

\WindowsLiveLogin.dll

mRun: [MSIAfterburner] "c:\applications\hardware\msi afterburner

\MSIAfterburnerWrapper.exe" /s

mRun: [Malwarebytes' Anti-Malware] c:\applications\tools\security

\malwarebytes\mbamgui.exe /starttray

StartupFolder: c:\users\jeff\appdata\roaming\micros~1\windows

\startm~1\programs\startup\dropbox.lnk - c:\users\jeff\appdata\roaming

\dropbox\bin\Dropbox.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-

E99415F33AEC} - c:\program files (x86)\windows live\writer

\WriterBrowserExtension.dll

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -

hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab

Notify: !SASWinLogon - c:\applications\tools\security\sas\SASWINLO.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:

\applications\tools\security\sas\SASSEH.DLL

mASetup: installed components - c:\users\jeff\appdata\local\temp\CQEsV.exe

uASetup: installed components - c:\users\jeff\appdata\local\temp\CQEsV.exe

mRun-x64: [OODefragTray] c:\applications\tools\disk\o&o defrag\oodtray.exe

mRun-x64: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel

software\LgDevAgt.exe"

mRun-x64: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd

manager\LCDMon.exe"

mRun-x64: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-

series software\LGDCore.exe" /SHOWHIDE

mRun-x64: [EvtMgr6] c:\applications\hardware\logitech setpoint-64\setpointp

\SetPoint.exe /launchGaming

STS-X64: FencesShlExt Class: {1984DD45-52CF-49cd-AB77-18F378FEA264} - c:

\applications\tools\desktop\fences\FencesMenu64.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jeff\appdata\roaming\mozilla\firefox\profiles

\moif23al.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - plugin: c:\applications\photo\picasa3\npPicasa3.dll

FF - plugin: c:\applications\video\win7 codecs\rm\browser\plugins

\nppl3260.dll

FF - plugin: c:\applications\video\win7 codecs\rm\browser\plugins

\nprpjplug.dll

FF - plugin: c:\program files (x86)\google\google earth\plugin

\npgeplugin.dll

FF - plugin: c:\program files (x86)\google\update

\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files (x86)\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----

c:\applications\internet\firefox\greprefs\all.js - pref

("ui.use_native_colors", true);

c:\applications\internet\firefox\greprefs\all.js - pref

("ui.use_native_popup_windows", false);

c:\applications\internet\firefox\greprefs\all.js - pref

("browser.enable_click_image_resizing", true);

c:\applications\internet\firefox\greprefs\all.js - pref

("accessibility.browsewithcaret_shortcut.enabled", true);

c:\applications\internet\firefox\greprefs\all.js - pref

("javascript.options.mem.high_water_mark", 32);

c:\applications\internet\firefox\greprefs\all.js - pref

("javascript.options.mem.gc_frequency", 1600);

c:\applications\internet\firefox\greprefs\all.js - pref

("network.auth.force-generic-ntlm", false);

c:\applications\internet\firefox\greprefs\all.js - pref("svg.smil.enabled",

false);

c:\applications\internet\firefox\greprefs\all.js - pref

("ui.trackpoint_hack.enabled", -1);

c:\applications\internet\firefox\greprefs\all.js - pref

("browser.formfill.debug", false);

c:\applications\internet\firefox\greprefs\all.js - pref

("browser.formfill.agedWeight", 2);

c:\applications\internet\firefox\greprefs\all.js - pref

("browser.formfill.bucketSize", 1);

c:\applications\internet\firefox\greprefs\all.js - pref

("browser.formfill.maxTimeGroupings", 25);

c:\applications\internet\firefox\greprefs\all.js - pref

("browser.formfill.timeGroupingSize", 604800);

c:\applications\internet\firefox\greprefs\all.js - pref

("browser.formfill.boundaryWeight", 25);

c:\applications\internet\firefox\greprefs\all.js - pref

("browser.formfill.prefixWeight", 5);

c:\applications\internet\firefox\greprefs\all.js - pref("html5.enable",

false);

c:\applications\internet\firefox\greprefs\security-prefs.js - pref

("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_p

ref", true);

c:\applications\internet\firefox\greprefs\security-prefs.js - pref

("security.ssl.renego_unrestricted_hosts", "");

c:\applications\internet\firefox\greprefs\security-prefs.js - pref

("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\applications\internet\firefox\greprefs\security-prefs.js - pref

("security.ssl.require_safe_negotiation", false);

c:\applications\internet\firefox\greprefs\security-prefs.js - pref

("security.ssl3.rsa_seed_sha", true);

c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref

("app.update.download.backgroundInterval", 600);

c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref

("app.update.url.manual", "http://www.firefox.com");

c:\applications\internet\firefox\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr-ja", "mozff");

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

"chrome://browser/locale/browser.properties");

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("xpinstall.whitelist.add", "addons.mozilla.org");

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("xpinstall.whitelist.add.36", "getpersonas.com");

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("lightweightThemes.update.enabled", true);

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("browser.allTabs.previews", false);

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("plugins.hide_infobar_for_outdated_plugin", false);

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("plugins.update.notifyUser", false);

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("toolbar.customization.usesheet", false);

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.enable", false);

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.max", 20);

c:\applications\internet\firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\applications\tools\security\malwarebytes

\mbamservice.exe [2010-4-16 303952]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\applications

\tools\disk\macrium reflect\ReflectService.exe [2010-3-17 301024]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files

(x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-4-3 240232]

R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4

202776]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009

-6-4 1417240]

R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4

94744]

R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows

\system32\drivers\LGBusEnum.sys [2009-11-23 22408]

R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows

\system32\drivers\LGVirHid.sys [2009-11-23 16008]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4

-16 24664]

R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers

\nvoclk64.sys [2009-9-15 42088]

R3 RTCore64;RTCore64;c:\applications\hardware\msi afterburner\RTCore64.sys

[2010-1-31 14648]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys

[2009-3-1 187392]

S1 SASDIFSV;SASDIFSV;c:\applications\tools\security\sas\sasdifsv.sys [2010-

2-17 12872]

S1 SASKUTIL;SASKUTIL;c:\applications\tools\security\sas\SASKUTIL.SYS [2010-

2-17 66632]

S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google

\update\GoogleUpdate.exe [2010-4-13 136176]

S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing

Service;c:\program files (x86)\common files\creative labs shared\service

\AL6Licensing.exe [2010-4-10 79360]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing

Service;c:\program files (x86)\common files\creative labs shared\service

\CTAELicensing.exe [2010-4-10 79360]

S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 202776]

S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4

1417240]

S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 94744]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\games\rpg\dragon

age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]

S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows

\system32\drivers\psmounter.sys [2010-3-17 39904]

S3 SASENUM;SASENUM;c:\applications\tools\security\sas\SASENUM.SYS [2010-2-17

12872]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows

\system32\wat\WatAdminSvc.exe [2010-4-10 1255736]

============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2010-04-16 17:35:14 0 d-----w- c:\users\jeff\appdata

\roaming\Malwarebytes

2010-04-16 17:35:04 24664 ----a-w- c:\windows\system32\drivers

\mbam.sys

2010-04-16 17:35:04 0 d-----w- c:\programdata\Malwarebytes

2010-04-16 15:50:32 0 d-----w- c:\users\jeff\appdata

\roaming\WindowsServices

2010-04-16 15:25:53 612352 ----a-w- c:\windows

\system32\vbscript.dll

2010-04-16 15:25:53 427520 ----a-w- c:\windows

\syswow64\vbscript.dll

2010-04-16 15:25:52 286720 ----a-w- c:\windows\system32\drivers

\mrxsmb10.sys

2010-04-16 15:25:52 157696 ----a-w- c:\windows\system32\drivers

\mrxsmb.sys

2010-04-16 15:25:52 125952 ----a-w- c:\windows\system32\drivers

\mrxsmb20.sys

2010-04-16 15:25:51 5509008 ----a-w- c:\windows

\system32\ntoskrnl.exe

2010-04-16 15:25:51 3899280 ----a-w- c:\windows

\syswow64\ntoskrnl.exe

2010-04-16 15:25:50 3954568 ----a-w- c:\windows

\syswow64\ntkrnlpa.exe

2010-04-16 15:24:23 220672 ----a-w- c:\windows

\system32\wintrust.dll

2010-04-16 15:24:23 172032 ----a-w- c:\windows

\syswow64\wintrust.dll

2010-04-16 15:24:23 139264 ----a-w- c:\windows

\system32\cabview.dll

2010-04-16 15:24:23 132608 ----a-w- c:\windows

\syswow64\cabview.dll

2010-04-16 14:58:30 0 d-----w- c:\users\jeff\appdata

\roaming\Foxit Software

2010-04-16 14:58:09 0 d-----w- c:\program files

(x86)\WindowsServices

2010-04-15 20:25:05 0 d-----w- c:\programdata

\SUPERAntiSpyware.com

2010-04-15 20:24:59 0 d-----w- c:\users\jeff\appdata

\roaming\SUPERAntiSpyware.com

2010-04-15 18:15:55 0 d-----w- c:\programdata\BioWare

2010-04-15 17:37:10 0 d-----w- c:\users\jeff\appdata

\roaming\InfraRecorder

2010-04-15 16:16:06 0 d-sh--w- c:\programdata\SecuROM

2010-04-15 16:07:50 0 d-----w- c:\program files

(x86)\common files\Wise Installation Wizard

2010-04-15 16:07:48 0 d-----w- c:\programdata\Media Center

Programs

2010-04-15 15:55:17 0 d-----w- c:\program files

(x86)\common files\BioWare

2010-04-15 15:39:29 0 d-----w- c:\users\jeff\Tracing

2010-04-15 15:30:15 0 d-----w- c:\program files

(x86)\Microsoft SQL Server Compact Edition

2010-04-15 15:30:01 0 d-----w- c:\program files

(x86)\Microsoft

2010-04-15 15:29:48 0 d-----w- c:\program files

(x86)\Windows Live SkyDrive

2010-04-15 15:24:19 0 d-----w- c:\program files

(x86)\common files\Windows Live

2010-04-15 15:12:35 0 d-----w- c:\users\jeff\appdata

\roaming\runic games

2010-04-14 22:53:47 0 d-----w- c:\program files

(x86)\common files\Futuremark Shared

2010-04-14 20:03:30 45 ----a-w- c:\windows

\syswow64\initdebug.nfo

2010-04-14 15:41:21 390330392 ----a-w- c:\windows

\MEMORY.DMP

2010-04-14 12:50:08 0 d-----w- c:\users\jeff\appdata

\roaming\foobar2000

2010-04-14 12:31:58 0 d-----w- c:\windows\pss

2010-04-14 12:29:26 18960 ----a-w- c:\windows\system32\drivers

\LNonPnP.sys

2010-04-14 12:29:11 0 d-----w- c:\programdata\Logishrd

2010-04-14 12:28:09 0 d-----w- c:\program files\common

files\LogiShrd

2010-04-14 12:28:06 0 d-----w- c:\users\jeff\appdata

\roaming\Logishrd

2010-04-13 22:49:55 0 d-----w- c:\users\jeff\appdata

\roaming\Win7codecs

2010-04-13 22:48:45 0 d-----w- c:\programdata\Win7codecs

2010-04-13 16:17:23 540688 ----a-w- c:\windows

\system32\d3dx10_39.dll

2010-04-13 16:17:23 4992520 ----a-w- c:\windows

\system32\D3DX9_39.dll

2010-04-13 16:17:23 467984 ----a-w- c:\windows

\syswow64\d3dx10_39.dll

2010-04-13 16:17:23 3851784 ----a-w- c:\windows

\syswow64\D3DX9_39.dll

2010-04-13 16:17:23 1942552 ----a-w- c:\windows

\system32\D3DCompiler_39.dll

2010-04-13 16:17:23 1493528 ----a-w- c:\windows

\syswow64\D3DCompiler_39.dll

2010-04-13 16:07:26 0 d-----w- c:\program files (x86)\Eagle

Dynamics

2010-04-13 14:46:41 15867 ----a-w- c:\windows

\system32\Blank.ico

2010-04-13 12:40:56 0 d-----w- c:\programdata\Skype

2010-04-12 20:30:54 0 d-----w- c:\programdata\Codemasters

2010-04-12 20:11:29 0 d-----w- c:\windows\syswow64\xlive

2010-04-12 20:11:29 0 d-----w- c:\program files

(x86)\Microsoft Games for Windows - LIVE

2010-04-12 20:11:10 17686528 ----a-w- c:\windows

\syswow64\mkl_blueripple.dll

2010-04-12 20:11:10 1347584 ----a-w- c:\windows

\syswow64\rapture3d_oal.dll

2010-04-12 20:11:10 0 d-----w- c:\program files (x86)\BRS

2010-04-12 20:11:06 519000 ----a-w- c:\windows

\system32\d3dx10_40.dll

2010-04-12 20:11:06 452440 ----a-w- c:\windows

\syswow64\d3dx10_40.dll

2010-04-12 20:11:06 2605920 ----a-w- c:\windows

\system32\D3DCompiler_40.dll

2010-04-12 20:11:06 2036576 ----a-w- c:\windows

\syswow64\D3DCompiler_40.dll

2010-04-12 20:11:05 5631312 ----a-w- c:\windows

\system32\D3DX9_40.dll

2010-04-12 20:11:05 4379984 ----a-w- c:\windows

\syswow64\D3DX9_40.dll

2010-04-12 19:39:40 64512 ----a-w- c:\windows

\system32\HPPLVS.dll

2010-04-12 19:39:40 398336 ----a-w- c:\windows

\system32\HP1006LM.DLL

2010-04-12 19:39:39 0 d-----w- c:\program files\HP

2010-04-12 17:27:48 0 d-----w- c:\programdata\Macrium

2010-04-12 15:49:03 0 d-----w- c:\users\jeff\appdata

\roaming\HiFi

2010-04-12 15:46:41 0 d-----w- c:\windows\Downloaded

Installations

2010-04-12 14:50:19 0 d-----w- c:\users\jeff\appdata

\roaming\EZCA

2010-04-12 13:03:20 0 d-----w- c:\users\jeff\appdata

\roaming\Autodesk

2010-04-12 13:03:20 0 d-----w- c:\programdata\TEMP

2010-04-12 13:03:20 0 d-----w- c:\programdata\Alias

2010-04-12 12:34:24 0 d-----w- c:\users\jeff\appdata

\roaming\HandBrake

2010-04-12 03:00:25 0 d-----w- c:\program files

(x86)\Vstplugins

2010-04-12 02:56:56 0 d-----w- c:\programdata\Sony

2010-04-12 02:56:55 0 d-----w- c:\program files (x86)\Sony

2010-04-12 00:56:19 0 d-----w- c:\users\jeff\appdata

\roaming\NVIDIA

2010-04-11 20:56:21 0 dc-h--w- c:\programdata\{A87EB928-

0C6C-4071-AEF1-59E32BAEDF1B}

2010-04-11 20:56:21 0 d-----w- c:\users\jeff\appdata

\roaming\Stardock

2010-04-11 14:30:25 49120 ----a-w- c:\windows

\system32\oodbs.lor

2010-04-11 13:18:18 0 d-----w- c:\programdata\Logitech

2010-04-11 13:18:18 0 d-----w- c:\program files\Logitech

2010-04-11 13:12:42 0 d-----w- c:\windows\system32\oodag

2010-04-11 13:08:48 0 d-----w- c:\program files\OO Software

2010-04-11 12:24:10 0 ---ha-w- c:\windows\system32\drivers

\Msft_User_lgSSBW_01_00_00.Wdf

2010-04-11 12:24:01 0 ---ha-w- c:\windows\system32\drivers

\Msft_User_lgSSQVGA_01_00_00.Wdf

2010-04-11 12:12:49 0 d-----w- c:\users\jeff\appdata

\roaming\Trillian

2010-04-11 11:51:56 0 d-----w- c:\users\jeff\appdata

\roaming\Dropbox

2010-04-11 04:31:06 0 d-----w- c:\windows\Panther

2010-04-11 04:08:38 0 d-----w- c:\users\jeff\appdata

\roaming\KeePass

2010-04-11 03:55:26 0 d-----w- c:\users\jeff\appdata

\roaming\uTorrent

2010-04-11 03:31:59 0 d-----w- c:\users\jeff\appdata

\roaming\nHancer

2010-04-11 03:28:47 0 d-----w- c:\programdata\nHancer

2010-04-11 03:13:48 0 d-----w- c:\program files (x86)\MSXML

4.0

2010-04-11 03:13:46 0 d-----w- c:\program files

(x86)\common files\Microsoft Games

2010-04-11 03:02:32 0 d-----w- c:\windows\PCHEALTH

2010-04-11 02:51:16 0 ---ha-w- c:\windows\system32\drivers

\Msft_User_WpdFs_01_09_00.Wdf

2010-04-11 02:49:39 0 d-----w- c:\program files

(x86)\common files\Steam

2010-04-11 02:41:09 0 d-----w- c:\windows\syswow64\Macromed

2010-04-11 02:32:45 0 d-----w- c:\windows\syswow64\directx

2010-04-11 02:29:17 0 d-----w- c:\windows\syswow64\Wat

2010-04-11 02:29:17 0 d-----w- c:\windows\system32\Wat

2010-04-11 02:27:03 311808 ----a-w- c:\windows

\system32\msv1_0.dll

2010-04-11 02:27:03 257024 ----a-w- c:\windows

\syswow64\msv1_0.dll

2010-04-11 02:23:29 464896 ----a-w- c:\windows\system32\drivers

\srv.sys

2010-04-11 02:23:29 162304 ----a-w- c:\windows\system32\drivers

\srvnet.sys

2010-04-11 01:58:14 0 d-----w- c:\programdata\NVIDIA

2010-04-11 01:57:52 0 d-----w- c:\program files

(x86)\NVIDIA Corporation

2010-04-11 01:57:45 0 d-----w- c:\program files\NVIDIA

Corporation

2010-04-11 01:56:12 930272 ----a-w- c:\windows

\system32\dpinst.exe

2010-04-11 01:56:02 0 d-----w- C:\NVIDIA

2010-04-11 01:50:33 647872 ------w- c:\windows

\syswow64\Mscomct2.ocx

2010-04-11 01:50:33 53248 ------w- c:\windows\Ctregrun.exe

2010-04-11 01:35:38 788 ----a-w- c:\windows

\system32\DVCState-{00000007-00000000-00000000-00001102-00000005-

00211102}.rfx

2010-04-11 01:35:38 61616 ----a-w- c:\windows

\system32\BMXStateBkp-{00000007-00000000-00000000-00001102-00000005-

00211102}.rfx

2010-04-11 01:35:38 61616 ----a-w- c:\windows

\system32\BMXState-{00000007-00000000-00000000-00001102-00000005-

00211102}.rfx

2010-04-11 01:34:47 7062 ----a-w- c:\windows

\syswow64\audiopid.vxd

2010-04-11 01:34:23 0 d--h--w- c:\program files

(x86)\Creative Installation Information

2010-04-11 01:34:23 0 d-----w- c:\program files

(x86)\common files\Creative

2010-04-11 01:34:16 0 d-----w- c:\program files

(x86)\common files\Creative Labs Shared

2010-04-11 01:34:11 0 d-----w- c:\program files\Creative

2010-04-11 01:34:02 0 d-----w- c:\program files

(x86)\Creative

2010-04-11 01:33:57 0 d-----w- c:\programdata\Creative

2010-04-11 01:33:56 107008 ----a-w- c:\windows

\system32\cttele64.dll

2010-04-11 01:33:56 102400 ----a-w- c:\windows

\syswow64\cttele32.dll

2010-04-11 01:33:32 466520 ----a-w- c:\windows

\system32\wrap_oal.dll

2010-04-11 01:33:32 445016 ----a-w- c:\windows

\syswow64\wrap_oal.dll

2010-04-11 01:33:32 122904 ----a-w- c:\windows

\system32\OpenAL32.dll

2010-04-11 01:33:32 109080 ----a-w- c:\windows

\syswow64\OpenAL32.dll

2010-04-11 01:33:32 0 d-----w- c:\program files

(x86)\OpenAL

2010-04-11 01:33:31 89088 ----a-w- c:\windows

\system32\CmdRtr64.DLL

2010-04-11 01:33:31 73728 ----a-w- c:\windows

\syswow64\CmdRtr.DLL

2010-04-11 01:33:31 190976 ----a-w- c:\windows

\system32\APOMgr64.DLL

2010-04-11 01:33:31 159 ---ha-r- c:\windows\ctfile.rfc

2010-04-11 01:33:31 148480 ----a-w- c:\windows

\syswow64\APOMngr.DLL

2010-04-11 01:32:52 12288 ----a-w- c:\windows

\system32\INRES.DLL

2010-04-11 01:32:52 11776 ----a-w- c:\windows

\syswow64\INRES.DLL

2010-04-11 01:32:52 0 d-----w- c:\windows\syswow64\Data

2010-04-11 01:32:52 0 d-----w- c:\windows\system32\Data

2010-04-11 01:32:46 22691984 ----a-w- c:\windows

\syswow64\AppSetup.exe

2010-04-11 01:29:15 53248 ----a-w- c:\windows

\syswow64\CSVer.dll

2010-04-11 01:12:02 169 ----a-w- c:\windows

\system32\autopart.opt

2010-04-11 01:12:02 0 d-----w- c:\windows\Acronis

2010-04-11 01:10:47 0 d-----w- c:\programdata\Acronis

2010-04-11 01:10:02 269408 ----a-w- c:\windows\system32\drivers

\snapman.sys

2010-04-11 01:08:33 0 d-sh--w- c:\windows\Installer

2010-04-11 01:00:24 212864 ------w- c:\windows

\system32\MpSigStub.exe

2010-04-11 00:54:05 0 d-----w- C:\Applications

2010-04-11 00:43:32 0 d-sh--w- C:\Recovery

2010-04-03 22:42:00 61032 ----a-w- c:\windows

\system32\nvshext.dll

2010-04-03 22:42:00 159336 ----a-w- c:\windows

\system32\nvvsvc.exe

2010-04-03 22:42:00 14828648 ----a-w- c:\windows

\system32\nvcpl.dll

2010-04-03 22:42:00 116328 ----a-w- c:\windows

\system32\nvmctray.dll

2010-04-03 22:42:00 1067624 ----a-w- c:\windows

\system32\nvsvc64.dll

2010-04-03 22:41:38 66714 ----a-w- c:\windows

\system32\NvwsApps.xml

2010-04-03 22:41:38 276196 ----a-w- c:\windows

\system32\NvApps.xml

2010-04-02 21:57:30 499712 ----a-w- c:\windows

\syswow64\msvcp71.dll

2010-04-02 21:57:30 348160 ----a-w- c:\windows

\syswow64\msvcr71.dll

2010-03-31 05:15:22 86016 ----a-w- c:\windows

\syswow64\frapsvid.dll

2010-03-31 05:15:20 84992 ----a-w- c:\windows

\system32\frapsv64.dll

2010-03-22 18:38:00 3600384 ----a-w- c:\windows

\syswow64\GPhotos.scr

==================== Find3M ====================

2010-03-17 14:02:54 39904 ----a-w- c:\windows\system32\drivers

\psmounter.sys

2010-02-23 08:22:50 1192960 ----a-w- c:\windows

\system32\wininet.dll

2010-02-23 07:56:00 977920 ----a-w- c:\windows

\syswow64\wininet.dll

2010-02-23 07:55:56 1225216 ----a-w- c:\windows

\syswow64\urlmon.dll

2010-02-23 07:55:45 606208 ----a-w- c:\windows

\syswow64\mstime.dll

2010-02-23 07:55:43 64512 ----a-w- c:\windows

\syswow64\msfeedsbs.dll

2010-02-23 07:55:43 5964800 ----a-w- c:\windows

\syswow64\mshtml.dll

2010-02-23 07:55:24 10978816 ----a-w- c:\windows

\syswow64\ieframe.dll

2010-02-23 07:55:20 381440 ----a-w- c:\windows

\syswow64\iedkcs32.dll

2010-02-21 08:48:22 85504 ----a-w- c:\windows

\syswow64\ff_vfw.dll

2010-02-15 17:00:00 185920 ----a-w- c:\windows

\syswow64\rmoc3260.dll

2010-02-04 14:01:14 78680 ----a-w- c:\windows

\system32\XAPOFX1_4.dll

2010-02-04 14:01:14 74072 ----a-w- c:\windows

\syswow64\XAPOFX1_4.dll

2010-02-04 14:01:14 530776 ----a-w- c:\windows

\system32\XAudio2_6.dll

2010-02-04 14:01:14 528216 ----a-w- c:\windows

\syswow64\XAudio2_6.dll

2010-02-04 14:01:14 24920 ----a-w- c:\windows

\system32\X3DAudio1_7.dll

2010-02-04 14:01:14 238936 ----a-w- c:\windows

\syswow64\xactengine3_6.dll

2010-02-04 14:01:14 22360 ----a-w- c:\windows

\syswow64\X3DAudio1_7.dll

2010-02-04 14:01:14 176984 ----a-w- c:\windows

\system32\xactengine3_6.dll

2010-02-02 08:36:47 2048 ----a-w- c:\windows

\system32\tzres.dll

2010-02-02 07:45:54 2048 ----a-w- c:\windows

\syswow64\tzres.dll

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib

\0409\perfd.dat

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib

\0409\perfc.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib

\0409\perfi.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib

\0409\perfh.dat

2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini

2009-07-14 04:54:24 174 --sha-w- c:\program files

(x86)\desktop.ini

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib

\0000\perfi.dat

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib

\0000\perfh.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib

\0000\perfd.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib

\0000\perfc.dat

2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts

\StaticCache.dat

2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config

\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat

2009-07-14 04:55:03 32768 --sha-w- c:\windows\syswow64\config

\systemprofile\appdata\local\microsoft\windows\temporary internet files

\content.ie5\index.dat

2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config

\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat

2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs

\amd64_microsoft-windows-mail-

app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs

\x86_microsoft-windows-mail-

app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 15:31:15.97 ===============

Link to post
Share on other sites

Disregard.

After reading similar posts where the resolution was "you better change all your passwords, disconnect from the internet, and format ASAP", I decided to do the same. I know the trojan was still resident, and hiding, and I can't risk it. So I went ahead and formatted and reinstalled windows.

I would very much like to know, though, how a file named xxx.xxx can even run. MBAM even said "xxx.xxx is attempting to open" and let me quarantine it. Since when is .xxx an executable extension?

It also prevented me from deleting it, from Ctrl-A selecting all files in the temp folder, and other powerful behavior.

Link to post
Share on other sites

  • 4 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.