Jump to content

Unsure if I'm clean after spy.qwas infect


Recommended Posts

Hello Malwarebytes,

I recently ( yesterday ) had a problem with spy.qwas.exe and after I am not sure wether it has been successfully removed after reading through a few threads here.

I am using Windows 7 found the infect via Avira and used Malwarebytes quick-scan to remove and then delete all files found. In addition to that, I ran ComboFix. All symptoms seem to be gone but I don't know if all is really safe. A Full Malwarebytes and an Avira scan both showed me 0 infects/warnings.

I am a bit worried if it is really gone since it managed to get to my online banking ( which automatically locked up so nothing happend except for me having to reactivate it ). I am not sure which Logs to post since the Malwarebytes log contains no information except for that there are 0 infects etc..

Should i do any further actions?

Thanks in advance.



Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Certainly. :(

Update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Hello again :)

To start of - im not experiencing any issues/problems at the moment. I only noticed the trojan since it doubled the " ^^ `` " symbols and googled it. I am not sure if you need this information, but I found spy.qwas.exe (Trojan.SpyEyes) with MBAM and then deleted it. A scan with Avira then marked JAVA/OpenConnect.AI as an unwanted virus and removed it. (this all happend a few days ago).

Currently, neither MBAM nor Avira finds any unwanted programs. My main problem is that not finding anything doesnt mean nothing is there.

Here are the logs you requested, i hope the language in the mbam log is no problem since there are no warnings etc. :

Malwarebytes' Anti-Malware


Datenbank Version: 5891

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

27.02.2011 12:33:17

mbam-log-2011-02-27 (12-33-17).txt

Art des Suchlaufs: Quick-Scan

Durchsuchte Objekte: 173248

Laufzeit: 1 Minute(n), 47 Sekunde(n)

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschl

Link to post
Share on other sites

  • Staff


It's okay; my German is good enough.. :lol:

Please visit this webpage for instructions for running ComboFix:


  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.


Link to post
Share on other sites


here are the 2 logs. I just noticed avira reactivated after the combofix reboot and was aktive while dds ran, I hope this didnt cause any problems.

Thank you again for spending your time checking if all is clean or not, it really helps me alot!


DDS (Ver_10-12-12.02) - NTFS_AMD64

Run by Lee Sch at 2:51:10,39 on 02.03.2011

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.4027.2667 [GMT 1:00]

AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

============== Running Processes ===============



C:\windows\system32\svchost.exe -k DcomLaunch


C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\windows\system32\svchost.exe -k NetworkService




C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe


C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe



C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe


C:\windows\system32\svchost.exe -k imgsvc




C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\TECO\TecoService.exe




C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe



C:\Program Files\Toshiba\Power Saver\TPwrMain.exe

C:\Program Files\Toshiba\SmoothView\SmoothView.exe

C:\Program Files\Toshiba\FlashCards\TCrdMain.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


C:\Program Files\Toshiba\TECO\Teco.exe

C:\Program Files\Toshiba\ReelTime\TosReelTimeMonitor.exe

C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe

C:\Program Files (x86)\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe

C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe


C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files (x86)\Logitech\SetPoint\x86\SetPoint32.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe

C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\windows\System32\svchost.exe -k secsvcs

C:\Program Files\Windows Media Player\wmpnetwk.exe







C:\Users\Lee Sch\Desktop\dds.scr



============== Pseudo HJT Report ===============

uStart Page = hxxp://toshiba.msn.com

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

mRun: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

mRun: [TRCMan] C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe

mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

dRun: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Logitech\SetPoint\SetPoint.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Free YouTube to Mp3 Converter - C:\Users\Lee Sch\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm

IE: Nach Microsoft &Excel exportieren - C:\PROGRA~2\MIF5BA~1\OFFICE11\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\OFFICE11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL




mRun-x64: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup

mRun-x64: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun-x64: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

mRun-x64: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun-x64: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

mRun-x64: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3

mRun-x64: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun-x64: [ThpSrv] C:\windows\system32\thpsrv /logon

mRun-x64: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r

mRun-x64: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe

mRun-x64: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe

mRun-x64: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe

mRun-x64: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

mRun-x64: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe

mRun-x64: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe

mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

================= FIREFOX ===================

FF - ProfilePath - C:\Users\LEESCH~1\AppData\Roaming\Mozilla\Firefox\Profiles\fknjbp8e.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://de.search.yahoo.com/search?fr=mcafee&p=

FF - component: C:\Program Files (x86)\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Lee Sch\AppData\Roaming\Mozilla\plugins\npoctoshape.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - C:\Program Files (x86)\McAfee\SiteAdvisor

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

============= SERVICES / DRIVERS ===============

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\Windows\System32\drivers\thpdrv.sys [2009-6-29 34880]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\Windows\System32\drivers\Thpevm.sys [2009-6-29 14784]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-14 59904]

R2 AntiVirSchedulerService;Avira AntiVir Planer;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-8-13 135336]

R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-8-13 267944]

R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2010-8-13 83120]

R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200]

R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\McSACore.exe [2011-2-8 101048]

R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\Toshiba\TECO\TecoService.exe [2010-4-6 258928]

R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\Windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-5-14 2320920]

R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-1-10 603896]

R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-29 70656]

R3 enecirhid;ENE CIR HID Receiver;C:\Windows\System32\drivers\enecirhid.sys [2009-5-19 14848]

R3 enecirhidma;ENE CIR HIDmini Filter;C:\Windows\System32\drivers\enecirhidma.sys [2008-4-24 6656]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-5-14 56344]

R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2010-5-26 164464]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2010-1-28 86120]

R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2010-5-14 35008]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-5-14 330856]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]

R3 TPCHSrv;TPCH Service;C:\Program Files\Toshiba\TPHM\TPCHSrv.exe [2010-2-23 835952]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-14 17920]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 acpials;ALS-Sensorfilter;C:\Windows\System32\drivers\acpials.sys [2009-7-14 9728]

S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-5-14 51512]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-24 59392]

S4 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2010-5-14 1800808]

=============== Created Last 30 ================

2011-03-02 01:40:24 -------- d-sh--w- C:\$RECYCLE.BIN

2011-03-02 01:33:37 98816 ----a-w- C:\windows\sed.exe

2011-03-02 01:33:37 89088 ----a-w- C:\windows\MBR.exe

2011-03-02 01:33:37 256512 ----a-w- C:\windows\PEV.exe

2011-03-02 01:33:37 161792 ----a-w- C:\windows\SWREG.exe

2011-02-25 07:41:40 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{8352A644-7BA7-42EC-AF58-6B0079CC135C}\mpengine.dll

2011-02-24 11:25:07 -------- d-----w- C:\windows\System32\SPReview

2011-02-24 11:24:16 -------- d-----w- C:\windows\System32\EventProviders

2011-02-24 11:20:16 48976 ----a-w- C:\windows\System32\netfxperf.dll

2011-02-24 11:20:16 1942856 ----a-w- C:\windows\System32\dfshim.dll

2011-02-24 11:20:09 1130824 ----a-w- C:\windows\SysWow64\dfshim.dll

2011-02-24 11:20:06 5563776 ----a-w- C:\windows\System32\ntoskrnl.exe

2011-02-24 11:20:04 59392 ----a-w- C:\windows\System32\drivers\TsUsbFlt.sys

2011-02-24 11:20:04 3715584 ----a-w- C:\windows\System32\mstscax.dll

2011-02-24 11:20:04 1838080 ----a-w- C:\windows\System32\d3d10warp.dll

2011-02-24 11:20:04 14967808 ----a-w- C:\Program Files\DVD Maker\OmdBase.dll

2011-02-24 11:20:04 12288 ----a-w- C:\windows\System32\TsUsbRedirectionGroupPolicyExtension.dll

2011-02-24 11:20:02 3215872 ----a-w- C:\windows\SysWow64\mstscax.dll

2011-02-24 11:17:59 94208 ----a-w- C:\windows\SysWow64\eappgnui.dll

2011-02-24 11:16:39 529408 ----a-w- C:\windows\System32\wbemcomn.dll

2011-02-24 11:16:39 524288 ----a-w- C:\windows\System32\wmicmiplugin.dll

2011-02-24 11:16:39 1225216 ----a-w- C:\windows\System32\wbem\wbemcore.dll

2011-02-24 11:16:34 933376 ----a-w- C:\windows\System32\SmiEngine.dll

2011-02-24 11:16:30 199168 ----a-w- C:\windows\System32\PkgMgr.exe

2011-02-24 11:16:14 422912 ----a-w- C:\windows\System32\drvstore.dll

2011-02-24 11:16:14 399872 ----a-w- C:\windows\System32\dpx.dll

2011-02-23 09:08:12 321024 ----a-w- C:\windows\System32\d3d10_1core.dll

2011-02-23 09:08:12 219136 ----a-w- C:\windows\SysWow64\d3d10_1core.dll

2011-02-23 09:08:12 197120 ----a-w- C:\windows\System32\d3d10_1.dll

2011-02-23 09:08:12 161792 ----a-w- C:\windows\SysWow64\d3d10_1.dll

2011-02-23 09:08:11 870912 ----a-w- C:\windows\SysWow64\XpsPrint.dll

2011-02-23 09:08:11 1465344 ----a-w- C:\windows\System32\XpsPrint.dll

2011-02-23 09:08:10 475648 ----a-w- C:\windows\System32\XpsGdiConverter.dll

2011-02-23 09:08:10 288256 ----a-w- C:\windows\SysWow64\XpsGdiConverter.dll

2011-02-18 22:51:46 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll

2011-02-18 22:51:46 472808 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

2011-02-18 12:58:51 214016 ----a-w- C:\windows\System32\winsrv.dll

2011-02-16 09:36:19 38224 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-02-15 22:44:30 -------- d-----w- C:\Program Files (x86)\SpywareBlaster

2011-02-15 22:39:18 -------- d-----w- C:\Users\Lee Sch\AntivirProgs

2011-02-15 22:15:31 -------- d-----w- C:\Users\LEESCH~1\AppData\Roaming\Malwarebytes

2011-02-15 22:15:08 -------- d-----w- C:\PROGRA~3\Malwarebytes

2011-02-15 22:15:05 24152 ----a-w- C:\windows\System32\drivers\mbam.sys

2011-02-15 22:15:05 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-02-11 14:21:52 -------- d-----w- C:\Users\LEESCH~1\AppData\Local\Installer5404

2011-02-11 14:16:01 -------- d-----w- C:\Users\LEESCH~1\AppData\Local\Installer5840

2011-02-10 10:01:17 -------- d-----w- C:\Program Files (x86)\VideoLAN

2011-02-09 08:37:15 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb

2011-02-09 08:37:15 1638912 ----a-w- C:\windows\System32\mshtml.tlb

2011-02-09 08:37:09 612864 ----a-w- C:\windows\System32\vbscript.dll

2011-02-09 08:37:09 428032 ----a-w- C:\windows\SysWow64\vbscript.dll

2011-02-09 08:37:07 3129344 ----a-w- C:\windows\System32\win32k.sys

2011-02-09 08:37:05 715776 ----a-w- C:\windows\System32\kerberos.dll

2011-02-09 08:37:05 542208 ----a-w- C:\windows\SysWow64\kerberos.dll

2011-02-09 08:36:00 70656 ----a-w- C:\windows\SysWow64\fontsub.dll

2011-02-09 08:36:00 46080 ----a-w- C:\windows\System32\atmlib.dll

2011-02-09 08:36:00 366592 ----a-w- C:\windows\System32\atmfd.dll

2011-02-09 08:36:00 34304 ----a-w- C:\windows\SysWow64\atmlib.dll

2011-02-09 08:36:00 294400 ----a-w- C:\windows\SysWow64\atmfd.dll

2011-02-09 08:36:00 100864 ----a-w- C:\windows\System32\fontsub.dll

==================== Find3M ====================

2011-02-24 11:31:29 175616 ----a-w- C:\windows\System32\msclmd.dll

2011-02-24 11:31:29 152576 ----a-w- C:\windows\SysWow64\msclmd.dll

2011-02-02 16:11:20 270720 ------w- C:\windows\System32\MpSigStub.exe

2011-01-10 19:09:30 8952 ----a-w- C:\windows\SysWow64\vpncategories.dll

2011-01-10 19:09:01 28920 ----a-w- C:\windows\SysWow64\vpnevents.dll

============= FINISH: 2:51:30,56 ===============


Combofix Log

ComboFix 11-02-28.07 - Lee Sch 02.03.2011 2:34.2.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.4027.2842 [GMT 1:00]


Link to post
Share on other sites

  • Staff


Please go to VirusTotal, and upload the following file for analysis:


Post the results in your reply.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.


Link to post
Share on other sites

Hello again,

as I mentioned before, there are currently no noticeable issues. I am just trying to make sure every part of the malware has been removed. Everything is running fine as far as I can tell.

AhnLab-V3 2011.03.06.02 2011.03.06 -

AntiVir 2011.03.04 -

Antiy-AVL 2011.03.06 -

Avast 4.8.1351.0 2011.02.23 -

Avast5 5.0.677.0 2011.03.05 -

AVG 2011.03.05 -

BitDefender 7.2 2011.03.06 -

CAT-QuickHeal 11.00 2011.03.06 -

ClamAV 2011.03.05 -

Commtouch 2011.03.05 -

Comodo 7890 2011.03.06 -

DrWeb 2011.03.06 -

Emsisoft 2011.03.06 -

eSafe 2011.03.03 -

eTrust-Vet 36.1.8198 2011.03.04 -

F-Prot 2011.03.05 -

F-Secure 9.0.16440.0 2011.03.06 -

Fortinet 2011.03.06 -

GData 21 2011.03.06 -

Ikarus T3. 2011.03.06 -

Jiangmin 13.0.900 2011.03.06 -

K7AntiVirus 9.92.4032 2011.03.05 -

Kaspersky 2011.03.06 -

McAfee 5.400.0.1158 2011.03.06 -

McAfee-GW-Edition 2010.1C 2011.03.06 -

Microsoft 1.6603 2011.03.06 -

NOD32 5929 2011.03.06 -

Norman 6.07.03 2011.03.05 -

nProtect 2011-02-10.01 2011.02.15 -

Panda 2011.03.05 -

PCTools 2011.03.06 -

Prevx 3.0 2011.03.06 -

Rising 2011.03.06 -

Sophos 4.63.0 2011.03.06 -

SUPERAntiSpyware 2011.03.05 -

Symantec 20101.3.0.103 2011.03.06 -

TheHacker 2011.03.06 -

TrendMicro 2011.03.06 -

TrendMicro-HouseCall 2011.03.06 -

VBA32 2011.03.04 -

VIPRE 8613 2011.03.06 -

ViRobot 2011.3.6.4343 2011.03.05 -

VirusBuster 2011.03.05 -

Additional information

Show all

MD5 : eb77db354791a5932ca559b6f6374e95

SHA1 : 3b29aa577ea3830aae462b31239db6f7752d5a92

SHA256: 113816d464941c92a952f5593552e889cfda7e0389dc1b64031c3077c3cf7043

ssdeep: 6144:rK2j7VA5sHXPdamGdWY9r3NUrLwsG6Z3xAsuwKN2m/fN7:uoVIqMmGdWY9NUvKsLXm/l7

File size : 442880 bytes

First seen: 2011-02-27 13:28:41

Last seen : 2011-03-06 09:51:31

Magic: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit


DirectShow filter (77.7%)

Win32 Executable MS Visual C++ (generic) (14.5%)

Win32 Executable Generic (3.2%)

Win32 Dynamic Link Library (generic) (2.9%)

Generic Win/DOS Executable (0.7%)


publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: Shell extensions for sharing

original name: ntshrui.dll

internal name: ntshrui

file version.: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEiD: -

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x1F65

timedatestamp....: 0x4CE7B97E (Sat Nov 20 12:05:18 2010)

machinetype......: 0x14C (Intel I386)

[[ 4 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x2E44C, 0x2E600, 6.47, d2313ecbd6d9a888e7fb7142eea43679

.data, 0x30000, 0x1004, 0x1000, 2.69, 38a39fcf6a31c357494b86daa6825c6a

.rsrc, 0x32000, 0x3A3F8, 0x3A400, 5.59, 0cf88ab3ad1401d9c44ada312acce3e7

.reloc, 0x6D000, 0x2280, 0x2400, 6.66, cd08d9dc41335fa52b4a9d4e2730b57b

[[ 9 import(s) ]]

api_ms_win_security_base_l1_1_0.dll: GetSidSubAuthority, GetSecurityDescriptorDacl, EqualPrefixSid, InitializeSecurityDescriptor, MakeAbsoluteSD2, AddAce, DeleteAce, GetFileSecurityW, InitializeAcl, AddAccessDeniedAceEx, AccessCheck, DuplicateToken, IsValidSid, GetLengthSid, CopySid, SetFileSecurityW, GetSidSubAuthorityCount, EqualSid, SetSecurityDescriptorDacl, SetSecurityDescriptorOwner, GetAclInformation, GetAce, GetSecurityDescriptorOwner, IsWellKnownSid, CreateWellKnownSid, GetSecurityDescriptorLength, IsValidSecurityDescriptor, MakeSelfRelativeSD, GetTokenInformation, SetSecurityDescriptorControl, AddAccessAllowedAceEx, GetSecurityDescriptorControl, MapGenericMask

gdi32.dll: GetDeviceCaps, GetStockObject, GetLayout, SetBkMode, GetTextExtentPoint32W, GetTextMetricsW, CreateFontW, SelectObject, SetTextColor, DeleteObject

kernel32.dll: GetModuleHandleW, MulDiv, GlobalSize, SetErrorMode, WideCharToMultiByte, LoadResource, LockResource, GetComputerNameExW, SetUnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, InterlockedExchange, LoadLibraryExA, InterlockedCompareExchange, DelayLoadFailureHook, InitializeCriticalSectionAndSpinCount, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, GetUserDefaultLCID, FindFirstFileW, FindNextFileW, FindClose, CompareStringW, GetFileAttributesW, GetCurrentThread, GetCurrentProcess, GetSystemDirectoryW, GetVolumePathNameW, GetVolumeInformationW, FormatMessageW, CreateMutexW, WaitForSingleObject, ReleaseMutex, CloseHandle, lstrcmpiW, FreeLibrary, GetWindowsDirectoryW, GetDriveTypeW, InitOnceExecuteOnce, DisableThreadLibraryCalls, Sleep, HeapFree, GetProcessHeap, HeapAlloc, CompareStringOrdinal, LocalReAlloc, DeleteCriticalSection, InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, GetComputerNameW, GetLastError, lstrlenW, LocalAlloc, SetLastError, LoadLibraryW, GetProcAddress, LocalFree, InterlockedDecrement, InterlockedIncrement, FindResourceExW, CreateActCtxW, ReleaseActCtx, ActivateActCtx, DeactivateActCtx, GetModuleFileNameW, GetLocaleInfoW, UnhandledExceptionFilter, GetUserDefaultUILanguage

msvcrt.dll: memset, wcschr, _wcsnicmp, _vsnwprintf, _wcsicmp, memcpy, towlower, memmove, _XcptFilter, malloc, free, _initterm, _amsg_exit, _unlock, __dllonexit, _lock, iswalpha, _onexit, _except_handler4_common

ntdll.dll: RtlInitUnicodeString, RtlMapGenericMask, RtlDosPathNameToNtPathName_U, NtOpenFile, EtwTraceMessage, EtwGetTraceEnableFlags, EtwGetTraceEnableLevel, EtwGetTraceLoggerHandle, EtwRegisterTraceGuidsW, EtwUnregisterTraceGuids, EtwEventRegister, EtwEventUnregister, EtwEventWrite, WinSqmAddToStream, WinSqmIsOptedIn, RtlFreeUnicodeString, RtlCreateUnicodeString, RtlNtStatusToDosError

propsys.dll: PropVariantToBoolean, PropVariantToUInt32, PropVariantToStringAlloc, PropVariantToGUID, VariantToBuffer

shell32.dll: SHGetFolderPathW, SHCreateShellItemArrayFromDataObject, -, -, SHGetFileInfoW, SHCreateItemWithParent, -, ShellExecuteW, ShellExecuteExW, SHGetIDListFromObject, -, -, -, -, -, SHCreateItemFromParsingName, -, -, -, SHCreateShellItemArrayFromIDLists, SHParseDisplayName, SHChangeNotify, SHCreateShellItemArrayFromShellItem, SHCreateItemFromIDList, SHGetFolderPathEx, SHGetKnownFolderItem

shlwapi.dll: SHSetValueW, -, -, -, -, -, SHGetValueW, PathCombineW, -, PathCanonicalizeW, PathBuildRootW, PathGetDriveNumberW, PathRemoveFileSpecW, StrStrW, -, StrDupW, StrCmpIW, PathAppendW, PathIsDirectoryW, PathFileExistsW, PathStripToRootW, SHStrDupA, -, StrRChrW, -, -, -, -, -, -, -, StrChrW, PathRemoveBackslashW, PathIsUNCW, StrCSpnW, PathRemoveBlanksW, PathFindFileNameW, PathCommonPrefixW, SHStrDupW, -, -, SHRegGetValueW, -, PathIsRootW, PathIsNetworkPathW, -, -, -, -, -

user32.dll: DialogBoxParamW, IsProcessDPIAware, CreatePopupMenu, InsertMenuItemW, InsertMenuW, GetLastActivePopup, SwitchToThisWindow, RegisterClassW, GetCursorPos, UnregisterClassW, DefWindowProcW, FindWindowW, GetClassNameW, CreateWindowExW, GetWindow, DeleteMenu, GetAncestor, FlashWindowEx, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, MapDialogRect, SetWindowPos, GetKeyState, GetWindowTextLengthW, GetWindowTextW, RegisterClipboardFormatW, ClientToScreen, LoadMenuW, GetSubMenu, GetMenuItemCount, GetMenuItemInfoW, SetMenuItemInfoW, SetForegroundWindow, TrackPopupMenu, DestroyMenu, GetSysColor, LoadIconW, DestroyIcon, GetDC, DrawTextW, ReleaseDC, LoadCursorW, SetCursor, GetSystemMetrics, IsWindowVisible, GetClientRect, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, GetWindowRect, MapWindowPoints, DestroyWindow, PostMessageW, SetWindowTextW, EndDialog, GetDlgItemTextW, CheckRadioButton, SetFocus, IsDlgButtonChecked, SetDlgItemTextW, ShowWindow, SendDlgItemMessageW, GetDlgItem, CheckDlgButton, EnableWindow, GetParent, SetWindowLongW, GetWindowLongW, SendMessageW, LoadStringW

[[ 15 export(s) ]]

CanShareFolder, DllCanUnloadNow, DllGetClassObject, GetLocalPathFromNetResource, GetLocalPathFromNetResourceA, GetLocalPathFromNetResourceW, GetNetResourceFromLocalPath, GetNetResourceFromLocalPathA, GetNetResourceFromLocalPathW, IsFolderPrivateForUser, IsPathShared, IsPathSharedA, IsPathSharedW, SetFolderPermissionsForSharing, ShowShareFolderUI


file metadata

CharacterSet: Unicode

CodeSize: 189952

CompanyName: Microsoft Corporation

EntryPoint: 0x1f65

FileDescription: Shell extensions for sharing

FileFlagsMask: 0x003f

FileOS: Windows NT 32-bit

FileSize: 432 kB

FileSubtype: 0

FileType: Win32 DLL

FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

FileVersionNumber: 6.1.7601.17514

ImageVersion: 6.1

InitializedDataSize: 252416

InternalName: ntshrui

LanguageCode: English (U.S.)

LegalCopyright: Microsoft Corporation. All rights reserved.

LinkerVersion: 9.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 6.1

ObjectFileType: Executable application

OriginalFilename: ntshrui.dll

PEType: PE32

ProductName: Microsoft Windows Operating System

ProductVersion: 6.1.7601.17514

ProductVersionNumber: 6.1.7601.17514

Subsystem: Windows GUI

SubsystemVersion: 6.1

TimeStamp: 2010:11:20 13:05:18+01:00

UninitializedDataSize: 0

VT Community


This file has never been reviewed by any VT Community member. Be the first one to comment on it!

ESET found no infects - log file :

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

Securitycheck Log

Results of screen317's Security Check version 0.99.9

Windows 7 (UAC is enabled)

Internet Explorer 8


Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!


Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 24

Adobe Flash Player

Adobe Reader 9.4.2 - Deutsch

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.15)


Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

I really hope there is nothing to find and I can safely go back to using the comp. for private purposes.



Link to post
Share on other sites

  • Staff


Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,


Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.