Jump to content

StartNow infection


Recommended Posts

I was infected with re-directs in all my browsers. On my own, (sorry, before coming to this forum) I ran full MS Security Essentials scan, Combofix and MalwareBytes. I found the file that had a "back-door", backdoor:Win32/pasurlts. I removed it with MSSE. I also deleted the folder where it came from. Chrome still tries to open to StartNow but MalwareBytes stops it. I ran GMER Rootkit Scanner, it found no system modifications & did not produce log. BTW "show-all" was greyed out in settings.

MalwareBytes log

05:30:55 GranPaSmurf MESSAGE Protection started successfully

05:31:02 GranPaSmurf MESSAGE IP Protection started successfully

05:32:11 GranPaSmurf MESSAGE Scheduled update executed successfully

05:35:02 GranPaSmurf MESSAGE IP Protection stopped

05:35:06 GranPaSmurf MESSAGE Database updated successfully

05:35:10 GranPaSmurf MESSAGE IP Protection started successfully

06:14:42 GranPaSmurf IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 49624, Process: chrome.exe)

07:03:06 GranPaSmurf IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 49744, Process: chrome.exe)

13:49:19 GranPaSmurf MESSAGE Protection started successfully

13:49:27 GranPaSmurf MESSAGE IP Protection started successfully

14:07:16 GranPaSmurf IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 49327, Process: chrome.exe)

14:07:16 GranPaSmurf IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 49345, Process: chrome.exe)

.

DDS Txt

DDS (Ver_2011-06-12.02) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by GranPaSmurf at 15:07:32 on 2011-06-17

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3248.1955 [GMT -5:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\svchost.exe -k NetworkService

C:\Program Files\Soluto\SolutoService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Program Files (x86)\Synergy\synergys.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome SxS\Application\chrome.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\GranPaSmurf\Downloads\Defogger (1).exe

C:\Windows\system32\conhost.exe

C:\Users\GranPaSmurf\Desktop\jrh1eeh6.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig?refresh=1

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\LastPass\LPBar.dll

TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll

uRun: [synergy Server] "C:\Program Files (x86)\Synergy\synergys.exe" --no-daemon --debug WARNING --name joyusvidbeast02 --address :24800

uRun: [C32BAEAE618CA48D7B1C51C41655BDF8D1A4E953._service_run] "C:\Users\GranPaSmurf\AppData\Local\Google\Chrome SxS\Application\chrome.exe" --type=service

uRun: [C1A2E05DCF3CC6D9CF27D6722BF353B7894344A7._service_run] "C:\Users\GranPaSmurf\AppData\Local\Google\Chrome\Application\chrome.exe" --type=service

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRun: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide

mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide

StartupFolder: C:\Users\GRANPA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Logitech\Ereg\eReg.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 3 (0x3)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass

IE: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.15.1

TCP: Interfaces\{02853E13-F875-4E89-8DF2-96E84E6AF4BF} : DhcpNameServer = 192.168.15.1

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll

BHO-X64: LastPass Browser Helper Object - No File

TB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRun-x64: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide

mRun-x64: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\GranPaSmurf\AppData\Roaming\Mozilla\Firefox\Profiles\y0x89ot9.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxps://lastpass.com/index.php?&ac=1&fromwebsite=1|http://mail.google.com/mail/u/0/?shva=1#inbox

FF - prefs.js: keyword.URL - hxxp://stp.startnow.com/s/?src=addrbar&provider=bing&provider_name=bing&provider_code=Z087&partner_id=681&product_id=691&affiliate_id=&channel=&toolbar_id=200&toolbar_version=2.1.0&install_country=US&install_date=20110610&user_guid=54A041E118214C1B8BF5A8C5B2990F34&machine_id=5428c7b70780a4afebd6f3f9a468bae5&browser=FF&os=win&os_version=6.1-x64-SP0&q=

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\GranPaSmurf\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: C:\Users\GranPaSmurf\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll

FF - plugin: C:\Users\GranPaSmurf\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SI3112r;SiI-3512 SATARaid Controller;C:\Windows\system32\DRIVERS\SI3112r.sys --> C:\Windows\system32\DRIVERS\SI3112r.sys [?]

R0 SI3114;SiI-3114 SATALink Controller;C:\Windows\system32\DRIVERS\SI3114.sys --> C:\Windows\system32\DRIVERS\SI3114.sys [?]

R0 Soluto;Soluto;C:\Windows\system32\DRIVERS\Soluto.sys --> C:\Windows\system32\DRIVERS\Soluto.sys [?]

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2010-12-7 366640]

R2 SolutoService;Soluto PCGenome Core Service;C:\Program Files\Soluto\SolutoService.exe [2011-5-24 376352]

R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2011-5-25 442656]

R3 LVUVC64;Logitech Webcam 120(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]

R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;C:\Windows\system32\DRIVERS\nvoclk64.sys --> C:\Windows\system32\DRIVERS\nvoclk64.sys [?]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 AMDAC97;AMD AC'97 Audio Driver (WDM);C:\Windows\system32\drivers\AMDAC97.sys --> C:\Windows\system32\drivers\AMDAC97.sys [?]

S3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 CrossLoopService;CrossLoop Service;C:\Users\GranPaSmurf\AppData\Local\CrossLoop\CrossLoopService.exe [2011-5-17 560880]

S3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\system32\DRIVERS\lvpopf64.sys --> C:\Windows\system32\DRIVERS\lvpopf64.sys [?]

S3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]

S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]

S3 MatSvc;Microsoft Automated Troubleshooting Service;C:\Program Files\Microsoft Fix it Center\Matsvc.exe [2010-11-16 343856]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 SWDUMon;SWDUMon;C:\Windows\system32\DRIVERS\SWDUMon.sys --> C:\Windows\system32\DRIVERS\SWDUMon.sys [?]

S3 tvnserver;TightVNC Server;C:\Users\GranPaSmurf\AppData\Local\CrossLoop\tvnserver.exe [2011-5-17 814080]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2011-06-17 18:46:09 -------- d-sh--w- C:\$RECYCLE.BIN

2011-06-17 12:03:52 8718160 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3AA85AE5-82E4-41A0-8703-FC4033AF529F}\mpengine.dll

2011-06-17 11:25:35 -------- d-----w- C:\myComboFix1661m

2011-06-17 00:15:20 53248 ----a-r- C:\Users\GranPaSmurf\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe

2011-06-15 18:04:33 -------- d-----w- C:\Windows\pss

2011-06-15 12:28:35 -------- d-----w- C:\Program Files (x86)\Synergy

2011-06-13 17:05:29 388096 ----a-r- C:\Users\GranPaSmurf\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-06-13 17:05:28 -------- d-----w- C:\Program Files (x86)\Trend Micro

2011-06-13 00:59:24 -------- d-----w- C:\Users\GranPaSmurf\AppData\Local\temp

2011-06-13 00:47:29 98816 ----a-w- C:\Windows\sed.exe

2011-06-13 00:47:29 518144 ----a-w- C:\Windows\SWREG.exe

2011-06-13 00:47:29 256512 ----a-w- C:\Windows\PEV.exe

2011-06-13 00:47:29 208896 ----a-w- C:\Windows\MBR.exe

2011-06-13 00:47:16 -------- d-----w- C:\myComboFix

2011-06-12 14:34:58 9331400 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe

2011-06-10 22:29:52 -------- d-----w- C:\Program Files (x86)\Common Files\LWS

2011-06-10 21:30:01 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys

2011-06-10 21:23:03 -------- d-----w- C:\Users\GranPaSmurf\AppData\Roaming\Logishrd

2011-06-08 12:17:48 -------- d-----w- C:\Program Files (x86)\SlimCleaner

2011-06-06 21:45:09 475648 ----a-w- C:\Windows\AlcUpd64.exe

2011-06-06 21:45:09 323104 ----a-w- C:\Windows\AlcRmv64.exe

2011-06-06 21:44:59 -------- d-----w- C:\Program Files (x86)\Realtek AC97

2011-06-06 18:41:45 -------- d-----w- C:\Users\GranPaSmurf\AppData\Roaming\IcoFX

2011-06-06 18:41:31 -------- d-----w- C:\Program Files (x86)\IcoFX 1.6

2011-06-05 17:25:51 -------- d-----w- C:\Program Files (x86)\SlimDrivers

2011-06-05 16:32:44 502304 ----a-w- C:\Windows\System32\NVUNINST.EXE

2011-06-01 12:54:29 10975264 ----a-w- C:\Windows\SysWow64\RTLCPL.EXE

2011-06-01 12:54:26 19036704 ----a-w- C:\Windows\SysWow64\ALSNDMGR.CPL

2011-06-01 12:54:23 604704 ----a-w- C:\Windows\SOUNDMAN.EXE

2011-06-01 12:54:23 3491616 ----a-w- C:\Windows\System32\drivers\RTKVAC64.SYS

2011-06-01 12:54:22 154144 ----a-w- C:\Windows\SysWow64\RTLCPAPI.dll

2011-06-01 12:54:20 149536 ----a-w- C:\Windows\System32\RtkCfg64.dll

2011-06-01 12:54:20 141856 ----a-w- C:\Windows\SysWow64\RtkCfg.dll

2011-06-01 12:54:20 1063456 ----a-w- C:\Windows\System32\RtPgEx64.dll

2011-06-01 12:54:19 1519136 ----a-w- C:\Windows\System32\RtkAPO64.dll

2011-06-01 12:54:18 44064 ----a-w- C:\Windows\CPLUtl64.exe

2011-06-01 12:42:17 319488 ----a-w- C:\Windows\HideWin.exe

2011-06-01 12:42:15 524288 ----a-w- C:\Windows\RtlExUpd.dll

2011-06-01 12:42:06 65024 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe

2011-06-01 12:42:04 204800 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll

2011-06-01 12:42:03 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll

2011-06-01 12:42:03 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll

2011-06-01 12:42:02 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe

2011-06-01 12:41:59 757760 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll

2011-06-01 12:41:53 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll

2011-06-01 12:41:52 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll

2011-06-01 12:37:24 93184 ----a-w- C:\Windows\System32\esxcwiad.dll

2011-06-01 12:37:24 -------- d-----w- C:\Program Files (x86)\epson

2011-06-01 12:31:02 15672 ----a-w- C:\Windows\System32\drivers\SWDUMon.sys

2011-06-01 11:10:35 -------- d-----w- C:\Users\GranPaSmurf\AppData\Local\SlimWare Utilities Inc

2011-06-01 11:05:58 -------- d-----w- C:\Program Files (x86)\Downloaded Installers

2011-05-31 14:38:03 -------- d-----w- C:\Program Files\Microsoft IntelliType Pro

2011-05-27 10:34:20 -------- d-----w- C:\Users\GranPaSmurf\AppData\Roaming\Soluto

2011-05-26 22:36:25 54728 ----a-w- C:\Windows\System32\drivers\Soluto.sys

2011-05-26 22:35:47 -------- d-----w- C:\Program Files\Soluto

2011-05-26 22:34:17 -------- d-----w- C:\ProgramData\Soluto

2011-05-26 04:05:26 545056 ----a-w- C:\Windows\SysWow64\LVUI2.dll

2011-05-26 04:05:26 540960 ----a-w- C:\Windows\SysWow64\LVUI2RC.dll

2011-05-26 04:05:14 307488 ----a-w- C:\Windows\SysWow64\lvcodec2.dll

2011-05-26 04:05:00 333336 ----a-w- C:\Windows\SysWow64\DevManagerCore.dll

2011-05-26 04:05:00 333336 ----a-w- C:\Windows\System32\DevManagerCore.dll

2011-05-26 04:05:00 10879000 ----a-w- C:\Windows\SysWow64\LogiDPP.dll

2011-05-26 04:05:00 10879000 ----a-w- C:\Windows\System32\LogiDPP.dll

2011-05-26 04:05:00 104472 ----a-w- C:\Windows\SysWow64\LogiDPPApp.exe

2011-05-26 04:05:00 104472 ----a-w- C:\Windows\System32\LogiDPPApp.exe

2011-05-26 04:02:20 769312 ----a-w- C:\Windows\System32\LVUI64.dll

2011-05-26 04:02:20 561440 ----a-w- C:\Windows\System32\LVUIRC64.dll

2011-05-26 04:02:20 4186528 ----a-w- C:\Windows\System32\drivers\lvuvc64.sys

2011-05-26 04:02:18 263456 ----a-w- C:\Windows\System32\lvco13271018.dll

2011-05-26 04:02:18 176416 ----a-w- C:\Windows\System32\lvcod64.dll

2011-05-25 12:46:14 -------- d-----w- C:\Users\GranPaSmurf\New folder

2011-05-25 11:31:00 27008 ----a-w- C:\Windows\System32\drivers\Diskdump.sys

2011-05-24 04:24:38 142336 ----a-w- C:\Windows\System32\poqexec.exe

2011-05-24 04:24:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe

2011-05-20 11:33:29 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2011-05-20 11:33:08 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AAFBC583-A041-423A-AB8D-5272524F1D8F}\gapaengine.dll

.

==================== Find3M ====================

.

2011-06-10 18:45:26 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-05-29 14:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-05-29 14:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-04-29 11:19:09 74752 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe

2011-04-29 11:19:08 161792 ----a-w- C:\Windows\SysWow64\msls31.dll

2011-04-29 11:19:08 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-04-29 11:19:07 76800 ----a-w- C:\Windows\SysWow64\SetIEInstalledDate.exe

2011-04-29 11:19:07 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll

2011-04-29 11:19:07 110592 ----a-w- C:\Windows\SysWow64\IEAdvpack.dll

2011-04-29 11:19:06 86528 ----a-w- C:\Windows\SysWow64\iesysprep.dll

2011-04-29 11:19:06 63488 ----a-w- C:\Windows\SysWow64\tdc.ocx

2011-04-29 11:19:06 48640 ----a-w- C:\Windows\SysWow64\mshtmler.dll

2011-04-29 11:19:06 367104 ----a-w- C:\Windows\SysWow64\html.iec

2011-04-13 20:04:38 45432 ----a-w- C:\Windows\System32\drivers\point64.sys

2011-04-13 20:04:38 23960 ----a-w- C:\Windows\System32\drivers\nuidfltr.sys

2011-04-13 20:04:38 1721576 ----a-w- C:\Windows\System32\wdfcoinstaller01009.dll

2011-04-12 18:01:38 52632 ----a-w- C:\Windows\System32\drivers\dc3d.sys

2011-04-09 06:45:48 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe

2011-04-09 06:13:06 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2011-04-09 06:13:06 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2011-04-09 04:00:28 464896 ----a-w- C:\Windows\System32\ipcoin815.dll

2011-04-01 10:05:38 261728 ----a-w- C:\Windows\System32\lvco13251014.dll

2011-03-25 03:23:22 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys

2011-03-25 03:23:03 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys

2011-03-25 03:23:03 324608 ----a-w- C:\Windows\System32\drivers\usbport.sys

2011-03-25 03:22:57 52224 ----a-w- C:\Windows\System32\drivers\usbehci.sys

2011-03-25 03:22:56 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys

2011-03-25 03:22:55 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys

2011-03-25 03:22:51 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys

2011-03-23 05:02:22 15192 ----a-w- C:\Windows\System32\drivers\iKeyLFT264.dll

.

============= FINISH: 15:08:01.69 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

Chris,

Thanks for your reply.

I sent a message (with some Cut & Paste from your message)to my bank, and changed the online banking password. I think the bank is the only really critical connection.

I think I will shoot for a middle ground approach.

I have isolated the machine from my internet and network connection and am now using another computer in my home network. These are multi-monitor and sitting alongside so I can read instructions from web-mail and reach over to perform tasks on my infected machine.

So, with your patience and expertise, I would like to try clean the infected machine. I understand the warnings in your message, but let's give it a shot anyway.

A question first, can Malwarebytes and Microsoft Security Essentials co-exist on a computer and is this enough security protection? For years I have run MSSE only and reccomeded it to others as "all you really need." Now this experience. If it seems appropriate I will set up the 3 others in my home network with Malwarebytes and MSSE.

Awaiting your reply and initial instructions,

Don Krebs

Link to post
Share on other sites

  • Staff

Hi Don,

Certainly we can clean what we can see.

I highly recommend the PRO version of MBAM in conjunction with MSE (it's the setup I run on all of my computers). It is a lifetime license for (in my opinion) the best protection available today.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.