Jump to content

Recommended Posts

Hi everyone!

Running Win7 Ultimate x64 with Avast 6 and MBAM 1.50.1 and HiJackThis 2.0.4

I noticed a rather odd "8306.exe has stopped working" message the other day and did a quick scan using Avast to find some kinda malware hidden in startup. I immediately booted up safe mode and did a Full avast scan (another dll found) and a Full MBAM scan (with heuristics - lots of stuff found)

But there's still this spoolsv.exe in my Users/Me/AppData/Roaming/ folder as well as an lsm.exe in a spoolsv folder in the same path. Subsequent scas using both Avast and MBAM gave clean results but I still see them running :( And after a few more boots I decided to scan again just to make sure. Avast gave me a green but MBAM said much was going on (log attached)

Please help me get rid of em once and for all!

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 9:59:36 PM, on 4/5/2011

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

Running processes:

C:\Programs\CleanMem\mini_monitor.exe

C:\Programs\DAEMON Tools Lite\DTLite.exe

C:\Programs\Vuze\Azureus.exe

C:\Programs\FeedDemon\FeedDemon.exe

C:\Programs\Free Download Manager\fdm.exe

C:\Programs\uTorrent\uTorrent.exe

C:\Programs\Codebox\BitMeter\BitMeter2.exe

C:\Programs\HP\Digital Imaging\bin\hpqtra08.exe

C:\Users\Admin\AppData\Roaming\spoolsv\lsm.exe

C:\Programs\ASUS\Fan Xpert\QFanHelp.exe

C:\Programs\Alwil Software\Avast5\AvastUI.exe

C:\Programs\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Programs\Unlocker\UnlockerAssistant.exe

C:\Programs\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Programs\HP\Digital Imaging\bin\hpqbam08.exe

C:\Programs\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Programs\Mozilla Firefox\firefox.exe

C:\Programs\Spybot - Search & Destroy\TeaTimer.exe

C:\Programs\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe,

O1 - Hosts: ::1 localhost

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programs\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programs\Alwil Software\Avast5\aswWebRepIE.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

O2 - BHO: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programs\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Programs\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Programs\Alwil Software\Avast5\aswWebRepIE.dll

O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r

O4 - HKLM\..\Run: [QFan Help] "C:\Programs\ASUS\Fan Xpert\QFanHelp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programs\Adobe\Reader 10.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [avast5] "C:\Programs\Alwil Software\Avast5\avastUI.exe" /nogui

O4 - HKLM\..\Run: [HP Software Update] C:\Programs\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Programs\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Programs\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [Print Spooler] C:\Users\Admin\AppData\Roaming\spoolsv.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programs\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [Azureus] C:\Programs\Vuze\Azureus.exe

O4 - HKCU\..\Run: [FeedDemon] "C:\Programs\FeedDemon\FeedDemon.exe" /startminimized

O4 - HKCU\..\Run: [Free Download Manager] "C:\Programs\Free Download Manager\fdm.exe" -autorun

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [uTorrent] "C:\Programs\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [6tg76t76fr65f7yh] C:\Users\Admin\AppData\Roaming\spoolsv\lsm.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKLM\..\Policies\Explorer\Run: [Print Spooler] C:\Users\Admin\AppData\Roaming\spoolsv.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Global Startup: Bitmeter2.lnk = C:\Programs\Codebox\BitMeter\BitMeter2.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programs\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programs\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programs\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Programs\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programs\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programs\MICROS~1\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\Programs\MICROS~1\Office14\ONBttnIE.dll/105

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programs\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O17 - HKLM\System\CCS\Services\Tcpip\..\{03D3A595-CF69-4716-8807-F604E64839C1}: NameServer = 115.69.240.12 115.69.240.11

O17 - HKLM\System\CS1\Services\Tcpip\..\{03D3A595-CF69-4716-8807-F604E64839C1}: NameServer = 115.69.240.12 115.69.240.11

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Programs\SUPERAntiSpyware\SASCORE64.EXE

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)

O23 - Service: avast! Antivirus - AVAST Software - C:\Programs\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: PretonSaver (PretonClientService) - Unknown owner - C:\Programs\Preton\PretonSaver\PretonClientService.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Programs\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Programs\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 12140 bytes

MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6278

Windows 6.1.7601 Service Pack 1 (Safe Mode)

Internet Explorer 9.0.8112.16421

4/5/2011 8:21:32 PM

mbam-log-2011-04-05 (20-21-32).txt

Scan type: Quick scan

Objects scanned: 166731

Time elapsed: 1 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 10

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{5AFE4FB1-BC8C-DFDB-A8EC-F12D5FC8AE80} (Heuristics.Shuriken) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5AFE4FB1-BC8C-DFDB-A8EC-F12D5FC8AE80} (Heuristics.Shuriken) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{5AFE4FB1-BC8C-DFDB-A8EC-F12D5FC8AE80} (Heuristics.Shuriken) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{EEFBE68F-7EAF-B9FC-EAA6-EADCB5DADFD1} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EEFBE68F-7EAF-B9FC-EAA6-EADCB5DADFD1} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{EEFBE68F-7EAF-B9FC-EAA6-EADCB5DADFD1} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macromedia (Heuristics.Shuriken) -> Value: Macromedia -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Macromedia (Heuristics.Shuriken) -> Value: Macromedia -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Macromedia (Heuristics.Shuriken) -> Value: Macromedia -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32rr32r3tghdrh (Heuristics.Shuriken) -> Value: 32rr32r3tghdrh -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Print Spooler (Trojan.Agent) -> Value: Print Spooler -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Print Spooler (Trojan.Agent) -> Value: Print Spooler -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Print Spooler (Trojan.Agent) -> Value: Print Spooler -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Malware.Trace) -> Value: winlogon -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winlogon (Trojan.Agent) -> Value: winlogon -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Malware.Trace) -> Value: winlogon -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Admin\AppData\Roaming\vlc.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Users\Admin\AppData\Roaming\microsoft\spoolvc.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Users\Admin\AppData\Local\Temp\95634.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Users\Admin\AppData\Roaming\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Admin\AppData\Roaming\data.dat (Stolen.Data) -> Quarantined and deleted successfully.

Thanks for any help!

Link to post
Share on other sites

Hello Hangman101! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Please use regular mode, not safe mode for now.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 2

Download DDS and save it to your desktop from here, here or here

Double click dds to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

In your next reply, please post the following logs:

  1. Malwarebytes' Anti-Malware log
  2. DDS log with Attach.txt

Link to post
Share on other sites

Hey thanks Maniac! :)

I had a go with HJT myself and tried to "fix" these entries in safe mode.

O4 - HKLM\..\Run: [Print Spooler] C:\Users\Admin\AppData\Roaming\spoolsv.exe

...

O4 - HKLM\..\Policies\Explorer\Run: [Print Spooler] C:\Users\Admin\AppData\Roaming\spoolsv.exe

Sure enough, next scan didn't have these entries and after those files (spoolsv.exe and lsm.exe) were deleted, I haven't seen them pop up again! :)

I'd still like to know what I was infected with and more importantly, whether it was possible to resolve it using just MBAM and without HJT's help (messing with the registry always makes me paranoid. But these entries seemed to be the culprit)

Anyway, since you asked, I've followed your instructions and these are my logs (taken AFTER doing the above fix)

MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6286

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

4/6/2011 6:02:03 PM

mbam-log-2011-04-06 (18-02-03).txt

Scan type: Quick scan

Objects scanned: 168462

Time elapsed: 1 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS.log

.

DDS (Ver_11-03-05.01) - NTFS_AMD64

Run by Admin at 18:04:15.97 on Wed 04/06/2011

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.2219 [GMT 5.5:30]

.

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Programs\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Programs\SUPERAntiSpyware\SASCORE64.EXE

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

C:\Windows\system32\taskeng.exe

C:\Programs\CleanMem\mini_monitor.exe

C:\Programs\Process Lasso\processlasso.exe

C:\Programs\Process Lasso\processgovernor.exe

C:\Programs\Preton\PretonSaver\PretonClientService.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Programs\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Programs\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Programs\TuneUp Utilities 2011\TuneUpUtilitiesApp64.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Programs\Preton\PretonSaver\PretonClient.exe

C:\Programs\DAEMON Tools Lite\DTLite.exe

C:\Programs\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

C:\Programs\Vuze\Azureus.exe

C:\Programs\FeedDemon\FeedDemon.exe

C:\Programs\Free Download Manager\fdm.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Programs\uTorrent\uTorrent.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Programs\Spybot - Search & Destroy\TeaTimer.exe

C:\Programs\Codebox\BitMeter\BitMeter2.exe

C:\Programs\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe

C:\Programs\ASUS\Fan Xpert\QFanHelp.exe

C:\Programs\Alwil Software\Avast5\AvastUI.exe

C:\Programs\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Programs\Unlocker\UnlockerAssistant.exe

c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Programs\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Programs\HP\Digital Imaging\bin\hpqbam08.exe

C:\Programs\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Programs\Mozilla Firefox\firefox.exe

C:\Programs\Mozilla Firefox\plugin-container.exe

C:\Programs\Notepad++\notepad++.exe

C:\Windows\explorer.exe

C:\Users\Admin\Downloads\dds.scr

C:\Windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mWinlogon: Userinit=userinit.exe,

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Programs\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Programs\Alwil Software\Avast5\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

BHO: Free Download Manager: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Programs\Free Download Manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Programs\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Programs\Alwil Software\Avast5\aswWebRepIE.dll

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Programs\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

uRun: [DAEMON Tools Lite] "C:\Programs\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [sUPERAntiSpyware] C:\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe

uRun: [Azureus] C:\Programs\Vuze\Azureus.exe

uRun: [FeedDemon] "C:\Programs\FeedDemon\FeedDemon.exe" /startminimized

uRun: [Free Download Manager] "C:\Programs\Free Download Manager\fdm.exe" -autorun

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [uTorrent] "C:\Programs\uTorrent\uTorrent.exe"

uRun: [spybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe

mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r

mRun: [QFan Help] "C:\Programs\ASUS\Fan Xpert\QFanHelp.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Programs\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [avast5] "C:\Programs\Alwil Software\Avast5\avastUI.exe" /nogui

mRun: [HP Software Update] C:\Programs\HP\HP Software Update\HPWuSchd2.exe

mRun: [hpqSRMon] C:\Programs\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [unlockerAssistant] "C:\Programs\Unlocker\UnlockerAssistant.exe"

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BITMET~1.LNK - C:\Programs\Codebox\BitMeter\BitMeter2.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Programs\HP\Digital Imaging\bin\hpqtra08.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Download all with Free Download Manager - file://C:\Programs\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://C:\Programs\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://C:\Programs\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://C:\Programs\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - C:\Programs\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\Programs\MICROS~1\Office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programs\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\Spybot - Search & Destroy\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: {03D3A595-CF69-4716-8807-F604E64839C1} = 115.69.240.12 115.69.240.11

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

mASetup: {5F6CFB23-CC7F-A0BC-3BC0-EDCDD9EEEA14} - C:\Users\Admin\AppData\Roaming\csrss.exe

mASetup: {CDFEECCD-371A-EECB-CCBB-FDDB6CE4BBED} - C:\Users\Admin\AppData\Roaming\NDVQP54V21.exe

mASetup: {EEFBE68F-7EAF-B9FC-EAA6-EADCB5DADFD1} - C:\Users\Admin\AppData\Roaming\spoolsv.exe

uASetup: {5F6CFB23-CC7F-A0BC-3BC0-EDCDD9EEEA14} - C:\Users\Admin\AppData\Roaming\csrss.exe

uASetup: {CDFEECCD-371A-EECB-CCBB-FDDB6CE4BBED} - C:\Users\Admin\AppData\Roaming\NDVQP54V21.exe

uASetup: {EEFBE68F-7EAF-B9FC-EAA6-EADCB5DADFD1} - C:\Users\Admin\AppData\Roaming\spoolsv.exe

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programs\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programs\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

mRun-x64: [bCSSync] "C:\Programs\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun-x64: [PretonClient] C:\Programs\Preton\PretonSaver\PretonClient.exe

mRun-x64: [(Default)]

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programs\MICROS~1\Office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll

FF - component: C:\Programs\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll

FF - component: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll

FF - component: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

FF - component: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\imtcp_xpcom.dll

FF - component: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60129.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Programs\Adobe\Reader 10.0\Reader\browser\nppdf32.dll

FF - plugin: C:\Programs\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Programs\Mozilla Firefox\plugins\npwachk.dll

FF - plugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rz8ocwb5.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll

FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

FF - user.js: network.http.max-connections-per-server - 8

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-2-23 505176]

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-1-23 280408]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-1-24 254528]

R1 SASDIFSV;SASDIFSV;C:\Programs\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]

R1 SASKUTIL;SASKUTIL;C:\Programs\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]

R2 !SASCORE;SAS Core Service;C:\Programs\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-3-9 203776]

R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-1-23 22360]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-1-23 64344]

R2 avast! Antivirus;avast! Antivirus;C:\Programs\Alwil Software\Avast5\AvastSvc.exe [2011-2-23 42184]

R2 PretonClientService;PretonSaver;C:\Programs\Preton\PretonSaver\PretonClientService.exe [2010-10-26 91136]

R2 SBSDWSCService;SBSD Security Center Service;C:\Programs\Spybot - Search & Destroy\SDWinSec.exe [2011-4-5 1153368]

R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;C:\Programs\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe [2010-12-14 2019648]

R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2011-3-9 9258496]

R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2011-3-9 300544]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2010-11-17 115216]

R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-1-21 413800]

R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;C:\Programs\TuneUp Utilities 2011\TuneUpUtilitiesDriver64.sys [2010-11-29 11856]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2011-2-17 1342064]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 BTCFilterService;USB Networking Driver Filter Service;C:\Windows\System32\drivers\motfilt.sys [2009-1-29 6144]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Programs\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 51445112]

S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\System32\drivers\motccgp.sys [2010-12-3 21504]

S3 motccgpfl;MotCcgpFlService;C:\Windows\System32\drivers\motccgpfl.sys [2009-1-29 9216]

S3 Motousbnet;Motorola USB Networking Driver Service;C:\Windows\System32\drivers\Motousbnet.sys [2010-4-1 26624]

S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-2-23 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-23 59392]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-20 1255736]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-7-10 47128]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2010-9-17 370008]

.

=============== Created Last 30 ================

.

2011-04-06 12:16:01 8424784 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{C43B6834-488C-4323-8F79-9B993CBE7EAB}\mpengine.dll

2011-04-05 17:29:10 -------- d-----w- C:\PROGRA~3\Paradox Interactive

2011-04-05 16:18:27 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy

2011-04-05 16:13:29 388096 ----a-r- C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-04-05 14:40:12 -------- d-----w- C:\Downloads

2011-04-04 13:00:04 -------- d-----w- C:\Users\Admin\AppData\Local\Ironclad Games

2011-04-04 06:10:42 -------- d-----w- C:\Windows\pss

2011-04-03 06:41:50 -------- d-----w- C:\Users\Admin\AppData\Local\Rockstar Games

2011-04-03 06:41:49 -------- d-sh--w- C:\PROGRA~3\SecuROM

2011-04-03 06:12:34 -------- d-----w- C:\Windows\SysWow64\xlive

2011-04-03 06:12:34 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE

2011-04-02 07:00:46 -------- d-----w- C:\PROGRA~3\Age of Empires 3

2011-04-01 11:23:22 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-03-31 14:08:18 -------- d-----w- C:\Program Files (x86)\AMD APP

2011-03-23 16:24:52 -------- d-----w- C:\OpenCV2.0

2011-03-21 14:26:26 61952 ----a-w- C:\Windows\System32\OVDecode64.dll

2011-03-21 14:26:22 59904 ----a-w- C:\Windows\SysWow64\OVDecode.dll

2011-03-21 14:26:10 53760 ----a-w- C:\Windows\System32\OpenCL.dll

2011-03-21 14:26:06 51712 ----a-w- C:\Windows\SysWow64\OpenCL.dll

2011-03-21 14:25:58 16115712 ----a-w- C:\Windows\System32\amdocl64.dll

2011-03-21 14:25:46 12385792 ----a-w- C:\Windows\SysWow64\amdocl.dll

2011-03-21 13:17:35 -------- d-----w- C:\Users\Admin\.ssh

2011-03-20 11:46:22 -------- d-----w- C:\Windows\SysWow64\Wat

2011-03-20 11:46:22 -------- d-----w- C:\Windows\System32\Wat

2011-03-11 14:43:49 -------- d-----w- C:\Users\Admin\AppData\Roaming\DVD Flick

2011-03-09 09:22:42 9258496 ----a-w- C:\Windows\System32\drivers\atikmdag.sys

2011-03-09 05:41:52 22518272 ----a-w- C:\Windows\System32\atio6axx.dll

2011-03-09 05:19:22 17397248 ----a-w- C:\Windows\SysWow64\atioglxx.dll

2011-03-09 04:57:04 143360 ----a-w- C:\Windows\System32\atiapfxx.exe

2011-03-09 04:56:54 679424 ----a-w- C:\Windows\SysWow64\aticfx32.dll

2011-03-09 04:55:52 795136 ----a-w- C:\Windows\System32\aticfx64.dll

2011-03-09 04:53:44 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll

2011-03-09 04:53:34 480256 ----a-w- C:\Windows\System32\atieclxx.exe

2011-03-09 04:53:04 203776 ----a-w- C:\Windows\System32\atiesrxx.exe

2011-03-09 04:52:04 120320 ----a-w- C:\Windows\System32\atitmm64.dll

2011-03-09 04:51:48 423424 ----a-w- C:\Windows\System32\atipdl64.dll

2011-03-09 04:51:42 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll

2011-03-09 04:51:34 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll

2011-03-09 04:51:28 16384 ----a-w- C:\Windows\System32\atimuixx.dll

2011-03-09 04:51:26 59392 ----a-w- C:\Windows\System32\atiedu64.dll

2011-03-09 04:51:22 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll

2011-03-09 04:48:46 4277760 ----a-w- C:\Windows\SysWow64\atidxx32.dll

2011-03-09 04:40:22 5044224 ----a-w- C:\Windows\System32\atidxx64.dll

2011-03-09 04:34:36 51200 ----a-w- C:\Windows\System32\aticalrt64.dll

2011-03-09 04:34:34 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll

2011-03-09 04:34:24 44544 ----a-w- C:\Windows\System32\aticalcl64.dll

2011-03-09 04:34:22 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll

2011-03-09 04:34:12 7025152 ----a-w- C:\Windows\System32\aticaldd64.dll

2011-03-09 04:32:32 5618688 ----a-w- C:\Windows\SysWow64\aticaldd.dll

2011-03-09 04:30:30 4294656 ----a-w- C:\Windows\SysWow64\atiumdag.dll

2011-03-09 04:24:48 5438976 ----a-w- C:\Windows\System32\atiumd64.dll

2011-03-09 04:18:10 258048 ----a-w- C:\Windows\SysWow64\atiadlxy.dll

2011-03-09 04:18:00 14848 ----a-w- C:\Windows\System32\atig6pxx.dll

2011-03-09 04:17:56 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll

2011-03-09 04:17:56 12800 ----a-w- C:\Windows\System32\atiglpxx.dll

2011-03-09 04:17:54 39936 ----a-w- C:\Windows\System32\atig6txx.dll

2011-03-09 04:17:48 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll

2011-03-09 04:17:42 300544 ----a-w- C:\Windows\System32\drivers\atikmpag.sys

2011-03-09 04:17:04 39936 ----a-w- C:\Windows\System32\atiuxp64.dll

2011-03-09 04:17:00 31232 ----a-w- C:\Windows\SysWow64\atiuxpag.dll

2011-03-09 04:16:54 38400 ----a-w- C:\Windows\System32\atiu9p64.dll

2011-03-09 04:16:48 28672 ----a-w- C:\Windows\SysWow64\atiu9pag.dll

2011-03-09 04:16:14 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll

2011-03-09 03:42:40 1208320 ----a-w- C:\Windows\System32\atiumd6v.dll

2011-03-09 03:42:06 1912832 ----a-w- C:\Windows\SysWow64\atiumdmv.dll

2011-03-09 03:41:52 3239936 ----a-w- C:\Windows\System32\atiumd6a.dll

2011-03-09 03:34:12 3471872 ----a-w- C:\Windows\SysWow64\atiumdva.dll

2011-03-09 03:18:58 53760 ----a-w- C:\Windows\System32\atimpc64.dll

2011-03-09 03:18:58 53760 ----a-w- C:\Windows\System32\amdpcom64.dll

2011-03-09 03:18:52 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll

2011-03-09 03:18:52 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll

2011-03-09 01:57:32 902656 ----a-w- C:\Windows\System32\d2d1.dll

2011-03-09 01:57:32 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2011-03-09 01:57:32 1544192 ----a-w- C:\Windows\System32\DWrite.dll

2011-03-09 01:57:32 1139200 ----a-w- C:\Windows\System32\FntCache.dll

2011-03-09 01:57:32 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll

2011-03-09 01:56:36 961024 ----a-w- C:\Windows\System32\CPFilters.dll

2011-03-09 01:56:36 723968 ----a-w- C:\Windows\System32\EncDec.dll

2011-03-09 01:56:35 850944 ----a-w- C:\Windows\SysWow64\sbe.dll

2011-03-09 01:56:35 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll

2011-03-09 01:56:35 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll

2011-03-09 01:56:35 259072 ----a-w- C:\Windows\System32\mpg2splt.ax

2011-03-09 01:56:35 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax

2011-03-09 01:56:35 1118720 ----a-w- C:\Windows\System32\sbe.dll

.

==================== Find3M ====================

.

2011-03-29 18:00:00 92672 ----a-w- C:\Windows\System32\ff_vfw.dll

2011-03-29 08:00:00 80896 ----a-w- C:\Windows\SysWow64\ff_vfw.dll

2011-03-24 19:35:18 243200 ----a-w- C:\Windows\SysWow64\xvidvfw.dll

2011-03-24 19:28:12 631808 ----a-w- C:\Windows\SysWow64\xvidcore.dll

2011-03-23 03:28:00 61440 ----a-w- C:\Windows\SysWow64\CleanMem.exe

2011-03-19 19:00:38 151552 ----a-w- C:\Windows\SysWow64\ac3acm.acm

2011-03-09 04:18:16 360448 ----a-w- C:\Windows\System32\atiadlxx.dll

2011-03-09 04:11:06 58880 ----a-w- C:\Windows\System32\coinst.dll

2011-03-05 10:47:44 123392 ----a-w- C:\Windows\System32\lagarith.dll

2011-03-05 10:47:16 122368 ----a-w- C:\Windows\SysWow64\lagarith.dll

2011-03-03 18:29:52 2712064 ----a-w- C:\Windows\SysWow64\x264vfw.dll

2011-03-02 10:43:46 175616 ----a-w- C:\Windows\SysWow64\unrar.dll

2011-03-02 10:43:38 203264 ----a-w- C:\Windows\System32\unrar.dll

2011-02-28 08:39:50 21840 ----atw- C:\Windows\SysWow64\SIntfNT.dll

2011-02-28 08:39:50 17212 ----atw- C:\Windows\SysWow64\SIntf32.dll

2011-02-28 08:39:50 12067 ----atw- C:\Windows\SysWow64\SIntf16.dll

2011-02-28 08:18:30 2829 ----a-w- C:\Windows\DIIUnin.pif

2011-02-28 08:18:29 94208 ----a-w- C:\Windows\DIIUnin.exe

2011-02-28 02:39:40 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll

2011-02-23 15:04:21 40648 ----a-w- C:\Windows\avastSS.scr

2011-02-23 14:57:01 505176 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2011-02-23 14:55:05 64344 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2011-02-23 01:18:43 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2011-02-23 01:18:42 175616 ----a-w- C:\Windows\System32\msclmd.dll

2011-02-17 17:52:15 521448 ----a-w- C:\Windows\System32\deployJava1.dll

2011-02-17 17:50:38 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-02-02 12:41:20 270720 ------w- C:\Windows\System32\MpSigStub.exe

2011-01-24 05:22:22 254528 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys

2011-01-22 19:33:28 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll

2011-01-22 18:47:02 0 ----a-w- C:\Windows\ativpsrm.bin

2011-01-21 02:06:02 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll

2011-01-21 02:06:02 413800 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys

2011-01-17 11:09:14 197120 ----a-w- C:\Windows\System32\d3d10_1.dll

2011-01-17 05:47:13 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll

2011-01-07 12:17:52 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll

2011-01-07 12:17:52 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll

2011-01-07 12:14:11 46080 ----a-w- C:\Windows\System32\atmlib.dll

2011-01-07 09:20:44 366592 ----a-w- C:\Windows\System32\atmfd.dll

2011-01-07 07:46:34 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

2011-01-07 07:46:34 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll

2011-01-07 07:45:57 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-01-07 05:43:36 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll

.

============= FINISH: 18:07:07.80 ===============

Attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 1/22/2011 11:45:12 PM

System Uptime: 4/6/2011 3:35:11 PM (3 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P5G41C-M LX

Processor: Intel® Core2 Duo CPU E4600 @ 2.40GHz | LGA775 | 2400/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 100 GiB total, 57.368 GiB free.

D: is FIXED (NTFS) - 50 GiB total, 32.665 GiB free.

E: is FIXED (NTFS) - 50 GiB total, 21.559 GiB free.

F: is FIXED (NTFS) - 100 GiB total, 12.254 GiB free.

G: is FIXED (NTFS) - 100 GiB total, 43.287 GiB free.

H: is FIXED (NTFS) - 66 GiB total, 41.918 GiB free.

I: is CDROM (CDFS)

J: is CDROM (CDFS)

K: is CDROM ()

L: is Removable

M: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP145: 3/31/2011 1:20:24 AM - Windows Update

RP146: 4/2/2011 12:01:45 PM - Installed Age of Empires III

RP147: 4/3/2011 10:05:55 AM - Installed Rockstar Games Social Club

RP148: 4/3/2011 10:06:54 AM - Installed Grand Theft Auto IV

RP149: 4/3/2011 11:27:56 AM - Installed Grand Theft Auto IV

RP150: 4/3/2011 12:06:52 PM - Installed Grand Theft Auto IV

RP151: 4/4/2011 12:02:17 AM - Windows Update

RP152: 4/4/2011 10:06:12 AM - Removed Joulemeter

RP153: 4/5/2011 9:43:10 PM - Installed HiJackThis

RP154: 4/5/2011 10:52:43 PM - Removed The Settlers 7 - Paths to a Kingdom

RP155: 4/5/2011 10:54:22 PM - Installed Microsoft Visual C++ 2005 Redistributable

RP156: 4/5/2011 10:55:15 PM - Installed DirectX

.

==== Installed Programs ======================

.

Link to post
Share on other sites

Glad you did it yourself, but you do not recommend it for the future. Often this leads to additional problems. As you can, Malwarebytes' Anti-Malware successfully detected and can remove the infection. What prevents him is a module of SpyBot - Search & Destroy - TeaTimer. TeaTimer detects when something wants to change some critical registry keys and stop them. If it was off, Malwarebytes' Anti-Malware have succeeded without additional help.

You can manually delete DDS and uninstall HiJackThis.

To prevent such a mistakes, keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions here:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.