Jump to content

Recommended Posts

I followed the "I'm infected--What do I do now?" (at least I think I did). The latest MBAM log is below the DDS log. It started with numerous trojans being found, and now this one keeps popping back up on reboot (I only posted my last MBAM log so it doesn't list the other malware it found at first). I THINK the others are gone. MBAM and Norton aren't finding them any more at least. Thanks for any and all help in advance! This one just won't DIE!!!

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22

Run by Kelsey2 at 15:08:55 on 2011-07-28

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1201 [GMT -5:00]

.

AV: Norton AntiVirus Online *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton AntiVirus Online *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\authz32.exe

C:\Program Files\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\ProgramData\audiosrv32.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = Preserve

BHO: {0e5f4811-d95f-420a-ad44-2f473c6ffdee} - c:\windows\system32\audiosrv32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.6.0.29\ips\IPSBHO.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{7CE2C0CB-ACF4-43BA-B8B3-1BF56138D788} : DhcpNameServer = 192.168.1.1

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\kelsey2\appdata\roaming\mozilla\firefox\profiles\0p8pyb25.default\

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\users\kelsey2\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\users\kelsey2\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\kelsey2\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

.

============= SERVICES / DRIVERS ===============

.

R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2008-1-20 4608]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1206000.01d\symds.sys [2011-6-13 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1206000.01d\symefa.sys [2011-6-13 744568]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20110723.001\BHDrvx86.sys [2011-7-22 815736]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110727.030\IDSvix86.sys [2011-7-27 367736]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1206000.01d\ironx86.sys [2011-6-13 136312]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1206000.01d\symtdiv.sys [2011-6-13 331384]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]

R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.6.0.29\ccsvchst.exe [2011-6-13 130008]

R2 TapiSrv32;Telephony ;c:\windows\system32\authz32.exe [2011-7-26 793600]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]

R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-1-20 987648]

R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-1-20 251904]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-21 41272]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-07-28 15:13:36 -------- d-----w- c:\users\kelsey2\appdata\local\Microsoft Games

2011-07-28 04:01:45 363008 ----a-w- c:\windows\system32\audiosrv32.dll

2011-07-28 03:08:39 793600 ----a-w- c:\programdata\audiosrv32.exe

2011-07-28 02:55:49 -------- d-----w- c:\users\kelsey2\appdata\local\temp

2011-07-28 02:55:04 -------- d-----w- c:\users\kelsey2\appdata\local\CrashDumps

2011-07-28 02:51:25 -------- d-sh--w- C:\$RECYCLE.BIN

2011-07-27 20:10:47 98816 ----a-w- c:\windows\sed.exe

2011-07-27 20:10:47 518144 ----a-w- c:\windows\SWREG.exe

2011-07-27 20:10:47 256000 ----a-w- c:\windows\PEV.exe

2011-07-27 20:10:47 208896 ----a-w- c:\windows\MBR.exe

2011-07-27 13:40:48 -------- d-----w- c:\users\kelsey2\appdata\roaming\SUPERAntiSpyware.com

2011-07-27 13:40:48 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2011-07-27 13:40:34 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-07-27 13:38:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2011-07-27 13:38:18 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-27 05:29:20 0 ---ha-w- c:\windows\qjajvlpexc.tmp

2011-07-26 13:06:24 793600 ----a-w- c:\windows\system32\authz32.exe

2011-07-24 18:50:10 0 ---ha-w- c:\windows\system32\qjajvlpexc.tmp

2011-07-21 14:16:58 -------- d-----w- c:\users\kelsey2\appdata\roaming\Malwarebytes

2011-07-21 14:16:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-21 14:16:42 -------- d-----w- c:\programdata\Malwarebytes

2011-07-21 14:16:38 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-21 14:16:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-20 23:36:03 0 ----a-w- c:\users\kelsey2\appdata\local\Qviseyogomus.bin

2011-07-14 03:15:17 -------- d-----w- c:\users\kelsey2\appdata\local\Google

2011-07-13 12:45:07 2043392 ----a-w- c:\windows\system32\win32k.sys

2011-07-13 12:45:02 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-07-13 12:45:02 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-06-29 12:53:08 276992 ----a-w- c:\windows\system32\schannel.dll

.

==================== Find3M ====================

.

2011-07-28 02:12:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-14 02:34:29 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-05-30 18:26:43 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-25 00:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-02 17:16:14 739328 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 15:09:30.54 ===============

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7309

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

7/28/2011 2:51:25 PM

mbam-log-2011-07-28 (14-51-25).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 415942

Time elapsed: 2 hour(s), 53 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

ark.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebyes.

Bumping your topic makes it seem like you are already being helped, and as you've noticed, you were overlooked because of it.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.