Jump to content

Recommended Posts

I have tried MBAM, Antispyware, Spybot S&D and Microsoft security essentials, and this will not get detected or be removed. PLEASE HELP!!!!

DDS.TXT

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.7601.17514

Run by Haddad at 23:06:10 on 2011-05-31

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3063.1802 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\PnkBstrA.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

C:\Program Files\Microsoft LifeChat\LifeChat.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\PKWARE\PKZIPM\12.50.0013\PKTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Haddad\Desktop\dds.scr

C:\Windows\system32\DllHost.exe

C:\Windows\system32\WSCRIPT.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [QFan Help] "c:\program files\asus\ai suite\qfan3\QFanHelp.exe"

mRun: [Cpu Level Up help] "c:\program files\asus\ai suite\CpuLevelUpHelp.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secure~1.lnk - c:\program files\pkware\pkzipm\12.50.0013\PKTray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 MpKsl7eff6a83;MpKsl7eff6a83;c:\programdata\microsoft\microsoft antimalware\definition updates\{dfba0397-3668-4976-91ae-0754f56bf134}\MpKsl7eff6a83.sys [2011-5-31 28752]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-26 1153368]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-8 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-27 1343400]

.

=============== Created Last 30 ================

.

2011-06-01 02:09:14 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2011-06-01 02:09:14 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{dfba0397-3668-4976-91ae-0754f56bf134}\MpKsl7eff6a83.sys

2011-06-01 02:09:06 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{dfba0397-3668-4976-91ae-0754f56bf134}\mpengine.dll

2011-06-01 01:18:21 -------- d-----w- c:\users\haddad\appdata\local\{070E0473-C0BB-4EAB-B4E8-DF4C906F8051}

2011-05-31 11:48:18 -------- d-----w- c:\users\haddad\appdata\local\{DA1B5ACB-3C64-4081-A341-6676018931C9}

2011-05-30 20:32:27 302592 ----a-w- c:\windows\system32\cmd.execf

2011-05-30 18:31:03 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{615560b2-c1fc-4a6e-81e0-2fcfc923c106}\gapaengine.dll

2011-05-30 18:23:24 -------- d-----w- c:\program files\Microsoft Security Client

2011-05-30 13:08:16 -------- d-----w- c:\users\haddad\appdata\local\{AEC24F50-44B5-44DB-BA7F-9954CA670562}

2011-05-30 10:50:13 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-30 00:01:19 -------- d-----w- c:\users\haddad\appdata\local\{CD61FE04-9485-4270-9FE3-0A62D9C08250}

2011-05-29 12:00:57 -------- d-----w- c:\users\haddad\appdata\local\{71B388AF-9F44-4474-8DE0-E76117644FE6}

2011-05-29 00:00:23 -------- d-----w- c:\users\haddad\appdata\local\{7DE259A1-C389-4BA3-987E-C5FCE2A467F1}

2011-05-28 11:59:48 -------- d-----w- c:\users\haddad\appdata\local\{C837DEC9-C3E8-4C6C-8596-3F415C34ABBD}

2011-05-28 02:18:16 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{36cc329a-6e97-4280-953e-f295df62d7a6}\mpengine.dll

2011-05-27 23:59:13 -------- d-----w- c:\users\haddad\appdata\local\{3ECDCA21-84E7-4FCD-ADBF-231B59C7903B}

2011-05-27 11:59:14 -------- d-----w- c:\users\haddad\appdata\local\{CB50ABA4-0AA8-4B70-9BBA-5C211A80FABA}

2011-05-26 12:35:20 -------- d-----w- c:\users\haddad\appdata\local\{B87BEA78-ED33-4A60-BE37-2089BE7AA420}

2011-05-26 00:34:45 -------- d-----w- c:\users\haddad\appdata\local\{3B23178A-91F6-4DB0-AFA7-9DADC0053DF3}

2011-05-25 12:34:24 -------- d-----w- c:\users\haddad\appdata\local\{4AA0C36E-3FE0-4C6D-9C24-BADE45AC4F71}

2011-05-25 00:08:28 -------- d-----w- c:\users\haddad\appdata\local\{71992081-F865-4EE2-BAD5-D20D69196FA6}

2011-05-24 12:07:02 -------- d-----w- c:\users\haddad\appdata\local\{0B4A8832-184C-4CBA-ACE4-6C80546C699D}

2011-05-24 00:06:29 -------- d-----w- c:\users\haddad\appdata\local\{B7BC9B2C-7981-4186-B6F5-E83B4D656923}

2011-05-23 12:05:54 -------- d-----w- c:\users\haddad\appdata\local\{4C5A55F2-117A-41E4-B865-EEB7CB805826}

2011-05-22 23:15:13 -------- d-----w- c:\users\haddad\appdata\local\{FA7AD549-3FA4-4210-A79E-C689A5C9BCB0}

2011-05-22 10:03:23 -------- d-----w- c:\users\haddad\appdata\local\{9839334A-2E77-4B5B-8198-AFDDBD07852C}

2011-05-21 22:02:48 -------- d-----w- c:\users\haddad\appdata\local\{F9CB9C4D-C165-4E91-A9B9-CF64BA5BB0B1}

2011-05-21 09:10:32 -------- d-----w- c:\users\haddad\appdata\local\{5611E239-9B95-4B5D-B586-00C9FD8BD085}

2011-05-20 13:55:20 -------- d-----w- c:\users\haddad\appdata\local\{99064F43-DCBF-464B-B78D-37BFC8DBC67D}

2011-05-20 00:18:50 -------- d-----w- c:\users\haddad\appdata\local\{65D30D2B-28E3-4EE3-B806-64910281B7D0}

2011-05-19 11:52:57 -------- d-----w- c:\users\haddad\appdata\local\{D445CA83-0B3A-4E3E-938F-3C2333C67AFC}

2011-05-18 22:58:39 -------- d-----w- c:\users\haddad\appdata\local\{F8647273-E663-499A-8DB8-14DD31D12825}

2011-05-18 10:37:40 -------- d-----w- c:\users\haddad\appdata\local\{A83AFBCF-ABCF-41A9-A67C-09A9048DA610}

2011-05-17 22:37:05 -------- d-----w- c:\users\haddad\appdata\local\{2BC430BD-E824-4EC1-870C-9342DE20152D}

2011-05-17 10:36:30 -------- d-----w- c:\users\haddad\appdata\local\{341F4231-77D2-4369-9227-70B3B43FC33E}

2011-05-16 03:32:02 123904 ----a-w- c:\windows\system32\poqexec.exe

2011-05-15 22:21:59 -------- d-----w- c:\users\haddad\appdata\local\{AB91F668-0186-485C-823A-AD341E753D14}

2011-05-15 10:04:22 -------- d-----w- c:\users\haddad\appdata\local\{2E3973A8-8BCD-4BD5-819B-C91977AA3871}

2011-05-14 13:42:09 -------- d-----w- c:\users\haddad\appdata\local\{17E82E7E-F5CE-44F2-B9A9-A10C59D0D715}

2011-05-14 01:03:11 -------- d-----w- c:\users\haddad\appdata\local\{DFF89132-2759-4EFA-AAF6-6CB51F17B035}

2011-05-13 11:40:01 -------- d-----w- c:\users\haddad\appdata\local\{4DCF3A55-FC38-4D6B-9729-3E0C8D6B539E}

2011-05-11 21:21:47 -------- d-----w- c:\users\haddad\appdata\local\{548D02C9-AC99-4CD0-8747-CF1978377C2D}

2011-05-11 09:21:26 -------- d-----w- c:\users\haddad\appdata\local\{681F671D-E855-4289-B9DF-7A535035E631}

2011-05-10 22:05:53 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-05-10 22:05:53 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-05-10 22:05:53 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-05-10 22:05:53 284672 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-05-10 22:05:53 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-05-10 22:05:53 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-05-10 22:05:52 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-05-10 22:05:52 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-05-10 21:19:13 -------- d-----w- c:\users\haddad\appdata\local\{FD7A83F7-B4B7-4E70-9945-0012953246F8}

2011-05-09 16:27:59 -------- d-----w- c:\users\haddad\appdata\local\{1CC34F21-99A5-464E-8916-25C6663DE7F0}

2011-05-09 00:50:46 -------- d-----w- c:\users\haddad\appdata\local\{E7CC526F-EE3F-4C8D-B9E9-3315C7F169D0}

2011-05-08 12:32:27 -------- d-----w- c:\users\haddad\appdata\local\{2B346EA9-BF45-4E89-9B83-AABC181E282D}

2011-05-08 00:31:52 -------- d-----w- c:\users\haddad\appdata\local\{C58BE4CB-CA4A-4D51-A6A2-A23520B225B3}

2011-05-07 09:05:12 -------- d-----w- c:\users\haddad\appdata\local\{1E9148EC-0C94-4A3A-B78C-3F28285139E1}

2011-05-06 12:31:43 -------- d-----w- c:\users\haddad\appdata\local\{FC1051C9-2560-4BBB-A3B5-DD3F800C7DC9}

2011-05-05 16:18:52 -------- d-----w- c:\users\haddad\appdata\local\{805FF1AE-94F6-433A-8FD0-AA4F290B8955}

2011-05-04 23:43:06 -------- d-----w- c:\users\haddad\appdata\local\{288821BB-7982-4C94-A0B2-50BC877CE015}

2011-05-04 11:42:43 -------- d-----w- c:\users\haddad\appdata\local\{9D088A4B-CD5B-4A2C-BA1F-29BDB6D095BD}

2011-05-03 17:43:41 -------- d-----w- c:\users\haddad\appdata\local\{2B92CA8A-E297-4060-8B8D-A67300D03A21}

2011-05-02 15:59:37 -------- d-----w- c:\users\haddad\appdata\local\{3D41C6F1-4A16-43AE-AB7F-60F1E9E61715}

.

==================== Find3M ====================

.

2011-03-12 11:23:45 870912 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-11 05:39:05 148864 ----a-w- c:\windows\system32\drivers\storport.sys

2011-03-11 05:39:00 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys

2011-03-11 05:39:00 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys

2011-03-11 05:39:00 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys

2011-03-11 05:38:51 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys

2011-03-11 05:38:37 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys

2011-03-11 05:38:37 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys

2011-03-11 05:33:59 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-03-11 05:33:59 1137664 ----a-w- c:\windows\system32\mfc42.dll

2011-03-11 05:33:09 1699328 ----a-w- c:\windows\system32\esent.dll

2011-03-11 05:31:07 74240 ----a-w- c:\windows\system32\fsutil.exe

2011-03-09 03:38:55 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-03-08 05:28:29 741376 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-07 05:33:13 981504 ----a-w- c:\windows\system32\wininet.dll

2011-03-07 03:52:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-03-03 05:38:01 132608 ----a-w- c:\windows\system32\dnsrslvr.dll

2011-03-03 05:36:16 28672 ----a-w- c:\windows\system32\dnscacheugc.exe

2011-03-03 03:42:34 2333184 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 23:06:24.76 ===============

and attach.txt

I really need some Serious help. I have been searching the forum and it looks like there are a lot of folks having the same issue, but I am afraid of trying any of the fixes as they may not apply to my situation. FYI my MBAM log was clean, even with a full scan, so I didn't bother attaching it.

Please help. I know I've seen similar problems a couple of times in the forums but nothing that was exactly comparable and when I've tried to adapt their solutions nothing has solved my problem.

I am running windows XP. I had a Trojan that was trying to get me to buy software/disabling me from starting up anti-virus/malware bytes etc...

I started it up in safe mode in Admin mode and ran malware bytes. That fixed the problem (yay) and put the stuff below quarantine.

Now however, if I log into admin (in safe mode) everything is fine. If I log into User X however, nothing will load. When I try to open firefox etc...

I get the what program do you what to run this with dialog. Just for the user account, not admin.

I have tried running exeHelper and shell.reg from the admin account. May have done that wrong though if they need to be run on the user account somehow.

Thanks for any suggestions!

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6767

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

6/3/2011 9:26:11 PM

mbam-log-2011-06-03 (21-26-11).txt

Scan type: Quick scan

Objects scanned: 155631

Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Peter\Local Settings\Application Data\vbi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Peter\Local Settings\Application Data\vbi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Peter\Local Settings\Application Data\vbi.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Peter\local settings\application data\vbi.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

Found the soultoin finally. But since there were so many threads where people said that but never said what it was I thought i'd post it here:

Please log in into the account where exe files won't run.

Then, make sure extensions are shown, see here how to do this.

Then, navigate to the C:\Program Files\Malwarebytes' Antimalware folder and locate the file mbam.exe in there

Rename mbam.exe to mbam.com

Then, doubleclick mbam.com. This will allow malwarebytes to open. First use the update tab and check if there are updates. Download the updates.

Then, perform a quick scan and let Malwarebytes remove what it found. Reboot afterwards. Malwarebytes should restore the associations for exe files again if run from the affected account.

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thank you so much for replying... I am really afraid of what this thing might be doing to my PC everytime I have it running....

I have done what you asked and here are the logs. Malwarebytes first, then DDS,and Combofix. Lastly I have reattached the zipped "attach.txt" file.

Thanks again. I am logging off for the night but will be back in the AM.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6773

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

6/4/2011 8:02:50 PM

mbam-log-2011-06-04 (20-02-50).txt

Scan type: Quick scan

Objects scanned: 148364

Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

__________________________________________________________

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.7601.17514

Run by Haddad at 20:04:45 on 2011-06-04

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3063.2128 [GMT -4:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\PnkBstrA.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

C:\Program Files\Microsoft LifeChat\LifeChat.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\PKWARE\PKZIPM\12.50.0013\PKTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\DllHost.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\DllHost.exe

C:\Users\Haddad\Desktop\Virus Programs\redirect issue\dds.scr

C:\Windows\system32\WSCRIPT.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [QFan Help] "c:\program files\asus\ai suite\qfan3\QFanHelp.exe"

mRun: [Cpu Level Up help] "c:\program files\asus\ai suite\CpuLevelUpHelp.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secure~1.lnk - c:\program files\pkware\pkzipm\12.50.0013\PKTray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}

DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 MpKsla9bab8fb;MpKsla9bab8fb;c:\programdata\microsoft\microsoft antimalware\definition updates\{381f6c10-dfb2-4061-85cb-65662e1cb751}\MpKsla9bab8fb.sys [2011-6-4 28752]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-26 1153368]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-8 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-27 1343400]

.

=============== Created Last 30 ================

.

2011-06-04 23:58:58 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{381f6c10-dfb2-4061-85cb-65662e1cb751}\MpKsla9bab8fb.sys

2011-06-04 13:10:17 -------- d-----w- c:\users\haddad\appdata\local\{F2752170-5B06-41EE-BF0E-59E3A6FF2700}

2011-06-04 12:48:24 -------- d-----w- c:\users\haddad\appdata\local\{7193D84C-E506-4EF4-BC70-2FDAD217A1D4}

2011-06-04 12:27:17 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{381f6c10-dfb2-4061-85cb-65662e1cb751}\mpengine.dll

2011-06-04 12:21:27 -------- d-----w- c:\users\haddad\appdata\local\{F44C6ED1-2EA7-4D9D-8F9E-A398FD6095F3}

2011-06-04 00:07:23 -------- d-sh--w- C:\$RECYCLE.BIN

2011-06-04 00:00:04 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-03 23:12:33 -------- d-----w- c:\users\haddad\appdata\local\{D72F6F7F-638F-42F7-B65E-5720420CF98C}

2011-06-03 11:12:09 -------- d-----w- c:\users\haddad\appdata\local\{071D94A0-7CEE-4BD8-970E-743E67DF0339}

2011-06-03 04:08:26 -------- d-----w- c:\program files\ESET

2011-06-03 02:52:38 98816 ----a-w- c:\windows\sed.exe

2011-06-03 02:52:38 518144 ----a-w- c:\windows\SWREG.exe

2011-06-03 02:52:38 256512 ----a-w- c:\windows\PEV.exe

2011-06-03 02:52:38 208896 ----a-w- c:\windows\MBR.exe

2011-06-02 22:53:44 -------- d-----w- c:\users\haddad\appdata\local\{F31E8C7F-32F0-4631-B284-D405A6B139A4}

2011-06-02 10:53:22 -------- d-----w- c:\users\haddad\appdata\local\{260EA1C3-D267-49BC-9D59-085A55B00122}

2011-06-01 17:03:05 -------- d-----w- c:\users\haddad\appdata\local\{F100ED35-64A6-4435-9844-5A2DD41B6BB4}

2011-06-01 02:09:14 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2011-06-01 01:18:21 -------- d-----w- c:\users\haddad\appdata\local\{070E0473-C0BB-4EAB-B4E8-DF4C906F8051}

2011-05-31 11:48:18 -------- d-----w- c:\users\haddad\appdata\local\{DA1B5ACB-3C64-4081-A341-6676018931C9}

2011-05-30 20:32:27 302592 ----a-w- c:\windows\system32\cmd.execf

2011-05-30 18:31:03 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{615560b2-c1fc-4a6e-81e0-2fcfc923c106}\gapaengine.dll

2011-05-30 18:23:24 -------- d-----w- c:\program files\Microsoft Security Client

2011-05-30 13:08:16 -------- d-----w- c:\users\haddad\appdata\local\{AEC24F50-44B5-44DB-BA7F-9954CA670562}

2011-05-30 10:50:13 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-30 00:01:19 -------- d-----w- c:\users\haddad\appdata\local\{CD61FE04-9485-4270-9FE3-0A62D9C08250}

2011-05-29 12:00:57 -------- d-----w- c:\users\haddad\appdata\local\{71B388AF-9F44-4474-8DE0-E76117644FE6}

2011-05-29 00:00:23 -------- d-----w- c:\users\haddad\appdata\local\{7DE259A1-C389-4BA3-987E-C5FCE2A467F1}

2011-05-28 11:59:48 -------- d-----w- c:\users\haddad\appdata\local\{C837DEC9-C3E8-4C6C-8596-3F415C34ABBD}

2011-05-28 02:18:16 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{36cc329a-6e97-4280-953e-f295df62d7a6}\mpengine.dll

2011-05-27 23:59:13 -------- d-----w- c:\users\haddad\appdata\local\{3ECDCA21-84E7-4FCD-ADBF-231B59C7903B}

2011-05-27 11:59:14 -------- d-----w- c:\users\haddad\appdata\local\{CB50ABA4-0AA8-4B70-9BBA-5C211A80FABA}

2011-05-26 12:35:20 -------- d-----w- c:\users\haddad\appdata\local\{B87BEA78-ED33-4A60-BE37-2089BE7AA420}

2011-05-26 00:34:45 -------- d-----w- c:\users\haddad\appdata\local\{3B23178A-91F6-4DB0-AFA7-9DADC0053DF3}

2011-05-25 12:34:24 -------- d-----w- c:\users\haddad\appdata\local\{4AA0C36E-3FE0-4C6D-9C24-BADE45AC4F71}

2011-05-25 00:08:28 -------- d-----w- c:\users\haddad\appdata\local\{71992081-F865-4EE2-BAD5-D20D69196FA6}

2011-05-24 12:07:02 -------- d-----w- c:\users\haddad\appdata\local\{0B4A8832-184C-4CBA-ACE4-6C80546C699D}

2011-05-24 00:06:29 -------- d-----w- c:\users\haddad\appdata\local\{B7BC9B2C-7981-4186-B6F5-E83B4D656923}

2011-05-23 12:05:54 -------- d-----w- c:\users\haddad\appdata\local\{4C5A55F2-117A-41E4-B865-EEB7CB805826}

2011-05-22 23:15:13 -------- d-----w- c:\users\haddad\appdata\local\{FA7AD549-3FA4-4210-A79E-C689A5C9BCB0}

2011-05-22 10:03:23 -------- d-----w- c:\users\haddad\appdata\local\{9839334A-2E77-4B5B-8198-AFDDBD07852C}

2011-05-21 22:02:48 -------- d-----w- c:\users\haddad\appdata\local\{F9CB9C4D-C165-4E91-A9B9-CF64BA5BB0B1}

2011-05-21 09:10:32 -------- d-----w- c:\users\haddad\appdata\local\{5611E239-9B95-4B5D-B586-00C9FD8BD085}

2011-05-20 13:55:20 -------- d-----w- c:\users\haddad\appdata\local\{99064F43-DCBF-464B-B78D-37BFC8DBC67D}

2011-05-20 00:18:50 -------- d-----w- c:\users\haddad\appdata\local\{65D30D2B-28E3-4EE3-B806-64910281B7D0}

2011-05-19 11:52:57 -------- d-----w- c:\users\haddad\appdata\local\{D445CA83-0B3A-4E3E-938F-3C2333C67AFC}

2011-05-18 22:58:39 -------- d-----w- c:\users\haddad\appdata\local\{F8647273-E663-499A-8DB8-14DD31D12825}

2011-05-18 10:37:40 -------- d-----w- c:\users\haddad\appdata\local\{A83AFBCF-ABCF-41A9-A67C-09A9048DA610}

2011-05-17 22:37:05 -------- d-----w- c:\users\haddad\appdata\local\{2BC430BD-E824-4EC1-870C-9342DE20152D}

2011-05-17 10:36:30 -------- d-----w- c:\users\haddad\appdata\local\{341F4231-77D2-4369-9227-70B3B43FC33E}

2011-05-16 03:32:02 123904 ----a-w- c:\windows\system32\poqexec.exe

2011-05-15 22:21:59 -------- d-----w- c:\users\haddad\appdata\local\{AB91F668-0186-485C-823A-AD341E753D14}

2011-05-15 10:04:22 -------- d-----w- c:\users\haddad\appdata\local\{2E3973A8-8BCD-4BD5-819B-C91977AA3871}

2011-05-14 13:42:09 -------- d-----w- c:\users\haddad\appdata\local\{17E82E7E-F5CE-44F2-B9A9-A10C59D0D715}

2011-05-14 01:03:11 -------- d-----w- c:\users\haddad\appdata\local\{DFF89132-2759-4EFA-AAF6-6CB51F17B035}

2011-05-13 11:40:01 -------- d-----w- c:\users\haddad\appdata\local\{4DCF3A55-FC38-4D6B-9729-3E0C8D6B539E}

2011-05-11 21:21:47 -------- d-----w- c:\users\haddad\appdata\local\{548D02C9-AC99-4CD0-8747-CF1978377C2D}

2011-05-11 09:21:26 -------- d-----w- c:\users\haddad\appdata\local\{681F671D-E855-4289-B9DF-7A535035E631}

2011-05-10 22:05:53 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-05-10 22:05:53 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-05-10 22:05:53 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-05-10 22:05:53 284672 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-05-10 22:05:53 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-05-10 22:05:53 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-05-10 22:05:52 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-05-10 22:05:52 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-05-10 21:19:13 -------- d-----w- c:\users\haddad\appdata\local\{FD7A83F7-B4B7-4E70-9945-0012953246F8}

2011-05-09 16:27:59 -------- d-----w- c:\users\haddad\appdata\local\{1CC34F21-99A5-464E-8916-25C6663DE7F0}

2011-05-09 00:50:46 -------- d-----w- c:\users\haddad\appdata\local\{E7CC526F-EE3F-4C8D-B9E9-3315C7F169D0}

2011-05-08 12:32:27 -------- d-----w- c:\users\haddad\appdata\local\{2B346EA9-BF45-4E89-9B83-AABC181E282D}

2011-05-08 00:31:52 -------- d-----w- c:\users\haddad\appdata\local\{C58BE4CB-CA4A-4D51-A6A2-A23520B225B3}

2011-05-07 09:05:12 -------- d-----w- c:\users\haddad\appdata\local\{1E9148EC-0C94-4A3A-B78C-3F28285139E1}

2011-05-06 12:31:43 -------- d-----w- c:\users\haddad\appdata\local\{FC1051C9-2560-4BBB-A3B5-DD3F800C7DC9}

.

==================== Find3M ====================

.

2011-03-12 11:23:45 870912 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-11 05:39:05 148864 ----a-w- c:\windows\system32\drivers\storport.sys

2011-03-11 05:39:00 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys

2011-03-11 05:39:00 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys

2011-03-11 05:39:00 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys

2011-03-11 05:38:51 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys

2011-03-11 05:38:37 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys

2011-03-11 05:38:37 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys

2011-03-11 05:33:59 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-03-11 05:33:59 1137664 ----a-w- c:\windows\system32\mfc42.dll

2011-03-11 05:33:09 1699328 ----a-w- c:\windows\system32\esent.dll

2011-03-11 05:31:07 74240 ----a-w- c:\windows\system32\fsutil.exe

2011-03-09 03:38:55 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-03-08 05:28:29 741376 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-07 05:33:13 981504 ----a-w- c:\windows\system32\wininet.dll

2011-03-07 03:52:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb

.

============= FINISH: 20:05:04.32 ===============

_______________________________________________________________________________

ComboFix 11-06-04.02 - Haddad 06/04/2011 20:19:57.3.8 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3063.1965 [GMT -4:00]

Running from: c:\users\Haddad\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\security\Database\tmp.edb

.

.

((((((((((((((((((((((((( Files Created from 2011-05-05 to 2011-06-05 )))))))))))))))))))))))))))))))

.

.

2011-06-05 00:23 . 2011-06-05 00:23 -------- d-----w- c:\users\Haddad\AppData\Local\temp

2011-06-05 00:23 . 2011-06-05 00:23 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-06-04 23:58 . 2011-06-04 23:58 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{381F6C10-DFB2-4061-85CB-65662E1CB751}\MpKsla9bab8fb.sys

2011-06-04 13:10 . 2011-06-04 13:10 -------- d-----w- c:\users\Haddad\AppData\Local\{F2752170-5B06-41EE-BF0E-59E3A6FF2700}

2011-06-04 12:48 . 2011-06-04 12:48 -------- d-----w- c:\users\Haddad\AppData\Local\{7193D84C-E506-4EF4-BC70-2FDAD217A1D4}

2011-06-04 12:27 . 2011-05-09 17:46 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{381F6C10-DFB2-4061-85CB-65662E1CB751}\mpengine.dll

2011-06-04 12:21 . 2011-06-04 12:21 -------- d-----w- c:\users\Haddad\AppData\Local\{F44C6ED1-2EA7-4D9D-8F9E-A398FD6095F3}

2011-06-04 00:00 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-03 23:12 . 2011-06-03 23:12 -------- d-----w- c:\users\Haddad\AppData\Local\{D72F6F7F-638F-42F7-B65E-5720420CF98C}

2011-06-03 11:12 . 2011-06-03 11:12 -------- d-----w- c:\users\Haddad\AppData\Local\{071D94A0-7CEE-4BD8-970E-743E67DF0339}

2011-06-03 04:08 . 2011-06-03 04:08 -------- d-----w- c:\program files\ESET

2011-06-02 22:53 . 2011-06-02 22:53 -------- d-----w- c:\users\Haddad\AppData\Local\{F31E8C7F-32F0-4631-B284-D405A6B139A4}

2011-06-02 10:53 . 2011-06-02 10:53 -------- d-----w- c:\users\Haddad\AppData\Local\{260EA1C3-D267-49BC-9D59-085A55B00122}

2011-06-01 17:03 . 2011-06-01 17:03 -------- d-----w- c:\users\Haddad\AppData\Local\{F100ED35-64A6-4435-9844-5A2DD41B6BB4}

2011-06-01 02:09 . 2011-05-09 17:46 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-06-01 01:18 . 2011-06-01 01:18 -------- d-----w- c:\users\Haddad\AppData\Local\{070E0473-C0BB-4EAB-B4E8-DF4C906F8051}

2011-05-31 11:48 . 2011-05-31 11:48 -------- d-----w- c:\users\Haddad\AppData\Local\{DA1B5ACB-3C64-4081-A341-6676018931C9}

2011-05-30 20:32 . 2011-05-30 20:32 302592 ----a-w- c:\windows\system32\cmd.execf

2011-05-30 18:31 . 2011-05-30 18:30 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{615560B2-C1FC-4A6E-81E0-2FCFC923C106}\gapaengine.dll

2011-05-30 18:23 . 2011-05-30 18:23 -------- d-----w- c:\program files\Microsoft Security Client

2011-05-30 13:08 . 2011-05-30 13:08 -------- d-----w- c:\users\Haddad\AppData\Local\{AEC24F50-44B5-44DB-BA7F-9954CA670562}

2011-05-30 10:50 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-30 00:01 . 2011-05-30 00:01 -------- d-----w- c:\users\Haddad\AppData\Local\{CD61FE04-9485-4270-9FE3-0A62D9C08250}

2011-05-29 12:00 . 2011-05-29 12:01 -------- d-----w- c:\users\Haddad\AppData\Local\{71B388AF-9F44-4474-8DE0-E76117644FE6}

2011-05-29 00:00 . 2011-05-29 00:00 -------- d-----w- c:\users\Haddad\AppData\Local\{7DE259A1-C389-4BA3-987E-C5FCE2A467F1}

2011-05-28 11:59 . 2011-05-28 11:59 -------- d-----w- c:\users\Haddad\AppData\Local\{C837DEC9-C3E8-4C6C-8596-3F415C34ABBD}

2011-05-28 02:18 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{36CC329A-6E97-4280-953E-F295DF62D7A6}\mpengine.dll

2011-05-27 23:59 . 2011-05-27 23:59 -------- d-----w- c:\users\Haddad\AppData\Local\{3ECDCA21-84E7-4FCD-ADBF-231B59C7903B}

2011-05-27 11:59 . 2011-05-27 11:59 -------- d-----w- c:\users\Haddad\AppData\Local\{CB50ABA4-0AA8-4B70-9BBA-5C211A80FABA}

2011-05-26 12:35 . 2011-05-26 12:35 -------- d-----w- c:\users\Haddad\AppData\Local\{B87BEA78-ED33-4A60-BE37-2089BE7AA420}

2011-05-26 00:34 . 2011-05-26 00:34 -------- d-----w- c:\users\Haddad\AppData\Local\{3B23178A-91F6-4DB0-AFA7-9DADC0053DF3}

2011-05-25 12:34 . 2011-05-25 12:34 -------- d-----w- c:\users\Haddad\AppData\Local\{4AA0C36E-3FE0-4C6D-9C24-BADE45AC4F71}

2011-05-25 00:08 . 2011-05-25 00:08 -------- d-----w- c:\users\Haddad\AppData\Local\{71992081-F865-4EE2-BAD5-D20D69196FA6}

2011-05-24 12:07 . 2011-05-24 12:07 -------- d-----w- c:\users\Haddad\AppData\Local\{0B4A8832-184C-4CBA-ACE4-6C80546C699D}

2011-05-24 00:06 . 2011-05-24 00:06 -------- d-----w- c:\users\Haddad\AppData\Local\{B7BC9B2C-7981-4186-B6F5-E83B4D656923}

2011-05-23 12:05 . 2011-05-23 12:06 -------- d-----w- c:\users\Haddad\AppData\Local\{4C5A55F2-117A-41E4-B865-EEB7CB805826}

2011-05-22 23:15 . 2011-05-22 23:15 -------- d-----w- c:\users\Haddad\AppData\Local\{FA7AD549-3FA4-4210-A79E-C689A5C9BCB0}

2011-05-22 10:03 . 2011-05-22 10:03 -------- d-----w- c:\users\Haddad\AppData\Local\{9839334A-2E77-4B5B-8198-AFDDBD07852C}

2011-05-21 22:02 . 2011-05-21 22:02 -------- d-----w- c:\users\Haddad\AppData\Local\{F9CB9C4D-C165-4E91-A9B9-CF64BA5BB0B1}

2011-05-21 09:10 . 2011-05-21 09:10 -------- d-----w- c:\users\Haddad\AppData\Local\{5611E239-9B95-4B5D-B586-00C9FD8BD085}

2011-05-20 13:55 . 2011-05-20 13:55 -------- d-----w- c:\users\Haddad\AppData\Local\{99064F43-DCBF-464B-B78D-37BFC8DBC67D}

2011-05-20 00:18 . 2011-05-20 00:19 -------- d-----w- c:\users\Haddad\AppData\Local\{65D30D2B-28E3-4EE3-B806-64910281B7D0}

2011-05-19 11:52 . 2011-05-19 11:53 -------- d-----w- c:\users\Haddad\AppData\Local\{D445CA83-0B3A-4E3E-938F-3C2333C67AFC}

2011-05-18 22:58 . 2011-05-18 22:58 -------- d-----w- c:\users\Haddad\AppData\Local\{F8647273-E663-499A-8DB8-14DD31D12825}

2011-05-18 10:37 . 2011-05-18 10:37 -------- d-----w- c:\users\Haddad\AppData\Local\{A83AFBCF-ABCF-41A9-A67C-09A9048DA610}

2011-05-17 22:37 . 2011-05-17 22:37 -------- d-----w- c:\users\Haddad\AppData\Local\{2BC430BD-E824-4EC1-870C-9342DE20152D}

2011-05-17 10:36 . 2011-05-17 10:36 -------- d-----w- c:\users\Haddad\AppData\Local\{341F4231-77D2-4369-9227-70B3B43FC33E}

2011-05-16 03:32 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe

2011-05-15 22:21 . 2011-05-15 22:22 -------- d-----w- c:\users\Haddad\AppData\Local\{AB91F668-0186-485C-823A-AD341E753D14}

2011-05-15 10:04 . 2011-05-15 10:04 -------- d-----w- c:\users\Haddad\AppData\Local\{2E3973A8-8BCD-4BD5-819B-C91977AA3871}

2011-05-14 13:42 . 2011-05-14 13:42 -------- d-----w- c:\users\Haddad\AppData\Local\{17E82E7E-F5CE-44F2-B9A9-A10C59D0D715}

2011-05-14 01:03 . 2011-05-14 01:03 -------- d-----w- c:\users\Haddad\AppData\Local\{DFF89132-2759-4EFA-AAF6-6CB51F17B035}

2011-05-13 11:40 . 2011-05-13 11:40 -------- d-----w- c:\users\Haddad\AppData\Local\{4DCF3A55-FC38-4D6B-9729-3E0C8D6B539E}

2011-05-11 21:21 . 2011-05-11 21:21 -------- d-----w- c:\users\Haddad\AppData\Local\{548D02C9-AC99-4CD0-8747-CF1978377C2D}

2011-05-11 09:21 . 2011-05-11 09:21 -------- d-----w- c:\users\Haddad\AppData\Local\{681F671D-E855-4289-B9DF-7A535035E631}

2011-05-10 22:05 . 2011-03-25 02:58 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-05-10 22:05 . 2011-03-25 02:58 284672 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-05-10 22:05 . 2011-03-25 02:58 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-05-10 22:05 . 2011-03-25 02:57 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-05-10 22:05 . 2011-03-25 02:57 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-05-10 22:05 . 2011-03-25 02:57 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-05-10 22:05 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-05-10 22:05 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-05-10 21:19 . 2011-05-10 21:19 -------- d-----w- c:\users\Haddad\AppData\Local\{FD7A83F7-B4B7-4E70-9945-0012953246F8}

2011-05-09 16:27 . 2011-05-09 16:28 -------- d-----w- c:\users\Haddad\AppData\Local\{1CC34F21-99A5-464E-8916-25C6663DE7F0}

2011-05-09 00:50 . 2011-05-09 00:50 -------- d-----w- c:\users\Haddad\AppData\Local\{E7CC526F-EE3F-4C8D-B9E9-3315C7F169D0}

2011-05-08 12:32 . 2011-05-08 12:32 -------- d-----w- c:\users\Haddad\AppData\Local\{2B346EA9-BF45-4E89-9B83-AABC181E282D}

2011-05-08 00:31 . 2011-05-08 00:32 -------- d-----w- c:\users\Haddad\AppData\Local\{C58BE4CB-CA4A-4D51-A6A2-A23520B225B3}

2011-05-07 09:05 . 2011-05-07 09:05 -------- d-----w- c:\users\Haddad\AppData\Local\{1E9148EC-0C94-4A3A-B78C-3F28285139E1}

2011-05-06 12:31 . 2011-05-06 12:31 -------- d-----w- c:\users\Haddad\AppData\Local\{FC1051C9-2560-4BBB-A3B5-DD3F800C7DC9}

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-15 13:11 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-03-12 11:23 . 2011-04-27 09:06 870912 ----a-w- c:\windows\system32\XpsPrint.dll

2011-03-11 05:39 . 2011-04-27 09:06 148864 ----a-w- c:\windows\system32\drivers\storport.sys

2011-03-11 05:39 . 2011-04-27 09:06 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys

2011-03-11 05:39 . 2011-04-27 09:06 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys

2011-03-11 05:39 . 2011-04-27 09:06 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys

2011-03-11 05:38 . 2011-04-27 09:06 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys

2011-03-11 05:38 . 2011-04-27 09:06 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys

2011-03-11 05:38 . 2011-04-27 09:06 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys

2011-03-11 05:33 . 2011-04-14 18:41 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-03-11 05:33 . 2011-04-14 18:41 1137664 ----a-w- c:\windows\system32\mfc42.dll

2011-03-11 05:33 . 2011-04-27 09:06 1699328 ----a-w- c:\windows\system32\esent.dll

2011-03-11 05:31 . 2011-04-27 09:06 74240 ----a-w- c:\windows\system32\fsutil.exe

2011-03-09 03:38 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-03-08 05:28 . 2011-04-14 18:41 741376 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-07 05:33 . 2011-04-14 18:41 981504 ----a-w- c:\windows\system32\wininet.dll

2011-03-07 03:52 . 2011-04-14 18:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2009-09-28 264040]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-03 7866912]

"QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2009-08-19 603136]

"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2009-08-21 887936]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-6-25 813584]

Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]

SecureZIP Attachments Status.lnk - c:\program files\PKWARE\PKZIPM\12.50.0013\PKTray.exe [2010-7-7 304464]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 mrtRate;mrtRate; [x]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-26 1343400]

S1 MpKsla9bab8fb;MpKsla9bab8fb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{381F6C10-DFB2-4061-85CB-65662E1CB751}\MpKsla9bab8fb.sys [2011-06-04 28752]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]

.

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1 71.243.0.12

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-06-04 20:24:14

ComboFix-quarantined-files.txt 2011-06-05 00:24

ComboFix2.txt 2011-06-04 00:07

ComboFix3.txt 2011-06-03 02:56

.

Pre-Run: 947,148,382,208 bytes free

Post-Run: 947,131,342,848 bytes free

.

- - End Of File - - CBA097B4433C60A8124741DDABF478AF

______________________________________

End of all logs.

Attach.zip

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hey there... While I was waiting for your response, I looked through some other forum postings and found that many people have been hit by this.... In one of the posts the user used DrWeb Cureit and was able to fix the problem. so I went ahead and did just that CureIT was able to find a Trojan and a Backdoor.TDSS rootkit. I am not at my home PC now, but I will reply later with the log for your information. I also deleted some files that I knew were suspect.

Long story short, when the problem first occured I scanned the system for any wierd files and found a once fitting the date range of when it happened the file I found was in C:\Users\xxxxx\AppData\Local\Microsoft\Windows\Explorer it was called ExplorerStartuLog_RunOnce.etl. I placed this file into a directory called test (so I can put it back if it wasn't correct) I then tried to use IE to perform a serch and the redirect didn't work it came up with an error instead. So I scanned my drive for other files fitting the date and time of that file and found 5 other files. I moved all the files to a test directory and rebooted. The file ended getting recreated. so although I found something I wasn't able to get rid of the virus.

so when CureIT was done I deleted those files again and reran a full Scan of CureIT everything was clean. I also did a complete scan of Malwarebytes, Spybot and Superantispyware, all Clean....

I will post later with the Log files.

Link to post
Share on other sites

Here is the DrWeb CureIt log

Process in memory: C:\Program Files\Internet Explorer\iexplore.exe:1680;;BackDoor.Tdss.565;Eradicated.

volsnap.sys;C:\Windows\system32\drivers;Trojan.Tdlbase.1;Cured.

The Malwarebytes log is below.

During my research, I noticed that some moderators used the TDSSKiller, I tried that it didn't run even after I changed the name. Also something to note that just before getting this nasty bug, I did get the Windows 7 Recovery virus which hides all the files on the desktop and start menu. but I was able to use a cmd window to remove the virus and resore my system to get all my stuff unhidden. After the resore is when I notice that this virus. my guess is that it piggy backed with the Recovery virus.

I believe these came in on an e-mai, and Outlook is setup to open automatically.... Safe to say, my system is now locked down to prevent this from happening agin.

I have two questions though.

1) Is it OK with MBAM for me to post, recommending others that seem to be having a similar issue, to use DrWeb? not sure if that is a competitor of MBAM or not.

2) I am now running just Windows security essentials, but prior I was running Spybot S&D. But non of my Scanning tools caught this nasty virus. is there any software out there that will catch this stuff.... on a previous infection, Spybot S&D didn't find anything but MalwareBytes did and althought the software said it got rid of the virus. it didn't I had to delete the files myself and that did it. Please advise.

Let me know if you want me to do any more logs so MBAM can put this bug in thier database.

Regards

there is the MBAM log after the TDSS was removed.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6773

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

6/6/2011 1:32:57 AM

mbam-log-2011-06-06 (01-32-57).txt

Scan type: Quick scan

Objects scanned: 148067

Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.