Jump to content

Trojan agent and Trojan banker cannot be removed from Malwarebytes.


Recommended Posts

Ran a scan and found a trojan agent and banker in my Java folders upon clicking remove selected a pop up appears saying some items could not be removed. Tried to remove the two viruses but upon running a scan after a reboot found that the buggers stuck around. I deleted all the Java folders I could find and ran another scan only to find the viruses still showing up with their location being the deleted Java folder. I ran a scan in safe mode and the mentioned viruses do not show up.

Could this be a false positive?

Anyways here are my logs.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4070

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

05/05/2010 5:41:28 PM

mbam-log-2010-05-05 (17-41-28).txt

Scan type: Quick scan

Objects scanned: 116671

Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files (x86)\Java.exe (Trojan.Banker) -> Delete on reboot.

C:\Program Files (x86)\JavaSDK.exe (Trojan.Agent) -> Delete on reboot.

_____________________________________________________________________

DDS (Ver_10-03-17.01) - NTFSX64

Run by chirps at 18:35:12.47 on 05/05/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.1788.979 [GMT -6:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe

C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Launch Manager\LManager.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Program Files\eMachines\eMachines Power Management\ePowerEvent.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Users\chirps\Desktop\Defogger.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\chirps\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=1009&m=e627&r=273612090325l0374z1m5r48923363

uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=1009&m=e627&r=273612090325l0374z1m5r48923363

mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=1009&m=e627&r=273612090325l0374z1m5r48923363

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=1009&m=e627&r=273612090325l0374z1m5r48923363

mLocal Page = c:\windows\syswow64\blank.htm

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

mRun: [LManager] c:\program files (x86)\launch manager\LManager.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [startCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [sunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Notify: !SASWinLogon - c:\program files (x86)\superantispyware\SASWINLO.dll

AppInit_DLLs: c:\windows\syswow64\guard32.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files (x86)\superantispyware\SASSEH.DLL

TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe

mRun-x64: [Acer ePower Management] c:\program files\emachines\emachines power management\ePowerTray.exe

mRun-x64: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun-x64: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

AppInit_DLLs-X64: c:\windows\system32\guard64.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jessy\appdata\roaming\mozilla\firefox\profiles\wurx2pjg.default\

FF - plugin: c:\program files (x86)\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npPandoWebInst.dll

FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-29 121936]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-23 233040]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 33208]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-21 203264]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-29 22096]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-29 63568]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]

R2 ePowerSvc;Acer ePower Service;c:\program files\emachines\emachines power management\ePowerSvc.exe [2009-8-21 844320]

R2 Greg_Service;GRegService;c:\program files (x86)\emachines\registration\GregHSRW.exe [2009-6-4 1150496]

R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2009-6-17 144640]

R2 Updater Service;Updater Service;c:\program files\emachines\emachines updater\UpdaterService.exe [2009-8-21 240160]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x64.sys [2009-11-13 67072]

R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-10-28 34872]

S1 SASDIFSV;SASDIFSV;c:\program files (x86)\superantispyware\sasdifsv.sys [2010-2-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files (x86)\superantispyware\SASKUTIL.SYS [2010-2-17 66632]

S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2010-3-19 135664]

S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\newtech infosystems\nti backup now 5\BackupSvc.exe [2009-6-17 50432]

S3 SASENUM;SASENUM;c:\program files (x86)\superantispyware\SASENUM.SYS [2010-2-17 12872]

S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-8-28 49152]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-30 1255736]

=============== Created Last 30 ================

2010-05-06 00:32:09 0 ----a-w- c:\users\chirps\defogger_reenable

2010-05-04 08:12:47 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-04-30 04:24:54 206848 ----a-w- c:\windows\system32\unrar.dll

2010-04-30 04:24:53 100352 ----a-w- c:\windows\system32\ff_vfw.dll

2010-04-30 04:24:51 0 d-----w- c:\program files\KLCP64

2010-04-29 22:33:18 63568 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2010-04-29 22:32:54 38848 ----a-w- c:\windows\syswow64\avastSS.scr

2010-04-29 22:32:54 153184 ----a-w- c:\windows\syswow64\aswBoot.exe

2010-04-29 08:17:23 0 d-----w- c:\program files (x86)\Windows Installer Clean Up

2010-04-29 08:16:35 0 d-----w- c:\program files (x86)\MSECACHE

2010-04-27 22:52:03 1446912 ----a-w- c:\windows\system32\lsasrv.dll

2010-04-27 22:52:03 12867072 ----a-w- c:\windows\syswow64\shell32.dll

2010-04-27 22:52:02 96768 ----a-w- c:\windows\syswow64\sspicli.dll

2010-04-27 22:52:02 22016 ----a-w- c:\windows\syswow64\secur32.dll

2010-04-27 22:52:02 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2010-04-27 22:11:00 223448 ----a-w- c:\windows\system32\drivers\fvevol.sys

2010-04-26 05:02:40 524288 --sha-w- c:\users\chirps\ntuser.dat{d47022cc-50f0-11df-b80b-00262276ad54}.TMContainer00000000000000000002.regtrans-ms

2010-04-26 05:02:40 524288 --sha-w- c:\users\chirps\ntuser.dat{d47022cc-50f0-11df-b80b-00262276ad54}.TMContainer00000000000000000001.regtrans-ms

2010-04-26 05:02:39 65536 --sha-w- c:\users\chirps\ntuser.dat{d47022cc-50f0-11df-b80b-00262276ad54}.TM.blf

2010-04-22 05:50:34 153376 ----a-w- c:\windows\syswow64\javaws.exe

2010-04-22 05:50:33 145184 ----a-w- c:\windows\syswow64\javaw.exe

2010-04-22 05:50:33 145184 ----a-w- c:\windows\syswow64\java.exe

2010-04-21 04:02:03 0 d-----w- C:\Gorillaz - Plastic Beach [2010-MP3-Cov][bubanee]

2010-04-19 01:01:51 0 d-----w- C:\perflogs

2010-04-15 09:32:22 411368 ----a-w- c:\windows\syswow64\deployJava1.dll

2010-04-15 01:50:11 0 d-----w- c:\program files (x86)\SpywareBlaster

2010-04-14 03:05:06 612352 ----a-w- c:\windows\system32\vbscript.dll

2010-04-14 03:05:06 427520 ----a-w- c:\windows\syswow64\vbscript.dll

2010-04-14 03:04:18 286720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2010-04-14 03:04:18 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-04-14 03:04:18 125952 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2010-04-14 03:04:08 5509008 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-04-14 03:04:07 3954568 ----a-w- c:\windows\syswow64\ntkrnlpa.exe

2010-04-14 03:04:07 3899280 ----a-w- c:\windows\syswow64\ntoskrnl.exe

2010-04-13 23:34:09 220672 ----a-w- c:\windows\system32\wintrust.dll

2010-04-13 23:34:09 172032 ----a-w- c:\windows\syswow64\wintrust.dll

2010-04-13 23:34:06 139264 ----a-w- c:\windows\system32\cabview.dll

2010-04-13 23:34:06 132608 ----a-w- c:\windows\syswow64\cabview.dll

2010-04-13 23:09:08 0 d-----w- c:\programdata\NOS

2010-04-11 23:24:52 0 d-----w- c:\windows\CheckSur

2010-04-11 23:03:40 0 d-----w- c:\programdata\Windows Genuine Advantage

2010-04-11 12:37:17 0 d-----w- c:\programdata\Comodo Downloader

2010-04-11 12:36:22 0 d--h--w- C:\VritualRoot

2010-04-11 12:36:03 0 d-----w- c:\programdata\COMODO

2010-04-11 12:33:43 0 d-----w- c:\program files\COMODO

2010-04-11 10:29:18 0 d-----w- c:\users\chirps\appdata\roaming\Malwarebytes

2010-04-11 10:28:47 0 d-----w- c:\programdata\Malwarebytes

2010-04-11 10:28:46 24664 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-11 10:28:46 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2010-04-11 09:27:38 0 d-----w- c:\programdata\SUPERAntiSpyware.com

2010-04-11 09:27:29 0 d-----w- c:\users\chirps\appdata\roaming\SUPERAntiSpyware.com

2010-04-11 09:27:29 0 d-----w- c:\program files (x86)\SUPERAntiSpyware

2010-04-11 09:26:23 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard

2010-04-11 08:33:22 0 d-----w- c:\program files (x86)\CCleaner

2010-04-11 01:23:25 0 ----a-w- c:\windows\syswow64\config.nt

2010-04-11 01:23:04 0 d-----w- c:\programdata\Alwil Software

2010-04-11 01:23:04 0 d-----w- c:\program files\Alwil Software

==================== Find3M ====================

2010-04-12 22:04:53 353520 ----a-w- c:\windows\system32\guard64.dll

2010-04-12 22:04:48 277240 ----a-w- c:\windows\syswow64\guard32.dll

2010-04-12 22:04:41 33208 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2010-04-12 22:04:40 19840 ----a-w- c:\windows\system32\drivers\cmderd.sys

2010-04-12 22:04:39 233040 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2010-03-15 04:53:08 3120 ----a-w- c:\windows\syswow64\6ffdbcaf-f6c1-42d3-a4a9-c7957224a70b.dll

2010-02-24 16:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe

2010-02-23 08:22:50 1192960 ----a-w- c:\windows\system32\wininet.dll

2010-02-23 07:56:00 977920 ----a-w- c:\windows\syswow64\wininet.dll

2010-02-23 07:55:56 1225216 ----a-w- c:\windows\syswow64\urlmon.dll

2010-02-23 07:55:45 606208 ----a-w- c:\windows\syswow64\mstime.dll

2010-02-23 07:55:43 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll

2010-02-23 07:55:43 5964800 ----a-w- c:\windows\syswow64\mshtml.dll

2010-02-23 07:55:24 10978816 ----a-w- c:\windows\syswow64\ieframe.dll

2010-02-23 07:55:20 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini

2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2010-01-14 17:09:00 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat

2010-01-14 17:09:00 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat

2010-01-14 17:09:00 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat

2010-01-15 10:37:40 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

2010-01-24 01:17:07 245760 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:36:33.61 ===============

Thanks!

Attach.zip

Link to post
Share on other sites

  • 4 weeks later...

Do not have those files as I uninstalled Java when I first caught this had trouble with the uninstall and as mentioned in my first post I deleted all the Java folders I could find. I did a reinstall of Java a few weeks ago and there seems to be no Java folder in program files (x86) but there is one in program files.

Link to post
Share on other sites

  • Staff

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    Java™.exe
    JavaSDK.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

-screen317

Link to post
Share on other sites

  • Staff

chirps,

I am consulting with our developers and will be back with you as soon as possible. We appreciate your patience.

In the meantime, could you please update your database and confirm that the latest database is still detecting this?

If so, please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). Run a scan from Safe Mode and see if the detections still occur.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Your security software could be interfering here.

To troubleshoot, first please uninstall Avira, restart your computer, and see if the detections are still occurring. If so, uninstall Comodo completely, restart, and try again. If it's still being detected, uninstall SUPERAntiSpyware, restart your computer, and try again.

If the detections persist, let me know and we'll try something else.

Link to post
Share on other sites

  • Staff

Great, we've found the culprit then.

Reinstall Comodo and see if you can add these files to its exclusion list:

* C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

* C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

* C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

* C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll

* C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll

* C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

* C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

* C:\Windows\System32\drivers\mbam.sys

* C:\Windows\System32\drivers\mbamswissarmy.sys

After that, restart your computer, run a scan with MBAM, and see if the detections persist.

Link to post
Share on other sites

Ok the only files I could not find to add to the trusted application list were:

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbamswissarmy.sys

Ran a scan without the two applications on the list and Malwarebytes showed no detections.

Link to post
Share on other sites

  • Staff

Glad we could help. ;)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.