Jump to content

Malware.trace and stolen.data


fifa499

Recommended Posts

Hello Malwarebytes,

Whilst roaming through my folder i found a file called data so i opened it to find a ton of my password's from websites,games etc etc

So i downloaded Malwarebytes, it found Malware.Trace and stolen.data, For my day to day protection i use norton 360 full paid so i'm totally lost as to how this malware got into my computer.

Every time the data file is deleted it remakes itself, inside looks like

Started: 6/09/2011 : 5:53:25 AM

Every time tr{Backspace}he data file is del

I read the pinned topic so here's all the stuff, i don't know how to zip files in vista so there here as is.

Malware scan,

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7658

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

6/09/2011 5:53:10 AM

mbam-log-2011-09-06 (05-53-10).txt

Scan type: Quick scan

Objects scanned: 198909

Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Tereasa\AppData\Roaming\data.dat (Stolen.Data) -> Quarantined and deleted successfully.

DDS,

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Tereasa at 3:07:43 on 2011-09-06

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3071.1702 [GMT 10:00]

.

AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe

C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe

C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe

C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe

C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe

C:\Program Files\Roxio 2011\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Pando Networks\Media Booster\PMB.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Users\Tereasa\AppData\Local\Apps\2.0\9B49BAV0.J9T\WW34804Y.15E\curs..tion_eee711038731a406_0004.0000_0d453ed5fea2fe48\CurseClient.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Program Files\Roxio 2011\Roxio Burn\Roxio Burn.exe

C:\Program Files\Roxio\BackOnTrack\App\SaibSVC.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Roxio\BackOnTrack\App\BService.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe

C:\Program Files\Acer Arcade Deluxe\Acer HomeMedia Connect\Kernel\DMS\CLMSMonitorService.exe

C:\Program Files\Acer Arcade Deluxe\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe

C:\Program Files\EgisTec\MyWinLocker 3\x86\MWLService.exe

C:\Program Files\Norton 360\Norton 360\Engine\5.1.0.29\ccSvcHst.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

C:\Windows\system32\PnkBstrA.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Norton 360\Norton 360\Engine\5.1.0.29\ccSvcHst.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\DllHost.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files\Common Files\Steam\SteamService.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = Preserve

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0c09&s=1&o=vp32&d=0909&m=aspire_x1800

uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0c09&s=1&o=vp32&d=0909&m=aspire_x1800

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0c09&s=1&o=vp32&d=0909&m=aspire_x1800

uInternet Settings,ProxyServer = 63.251.57.112:3120

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\5.1.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} -

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\5.1.0.29\coIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - No File

TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

uRun: [Java Platform SE 6 U16] c:\users\tereasa\appdata\roaming\Java Platform SE 6 U16.exe

uRun: [PowerSuite] "c:\program files\uniblue\powersuite\launcher.exe" delay 20000 -m

uRun: [speedUpMyPC] "c:\program files\uniblue\speedupmypc\launcher.exe" delay 20000

uRun: [steam] "c:\program files\steam\steam.exe" -silent

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [EgisTecLiveUpdate] "c:\program files\egistec egis software update\EgisUpdate.exe"

mRun: [mwlDaemon] c:\program files\egistec\mywinlocker 3\x86\mwlDaemon.exe

mRun: [updatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"

mRun: [ArcadeDeluxeAgent] "c:\program files\acer arcade deluxe\acer arcade deluxe\ArcadeDeluxeAgent.exe"

mRun: [PlayMovie] "c:\program files\acer arcade deluxe\playmovie\PMVService.exe"

mRun: [bigPondWirelessBroadbandCM] "c:\program files\telstra\bigpond wireless broadband 2.13.16\BigPond_CM.exe" -tsr

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [CLMLServer] "c:\program files\acer arcade deluxe\acer arcade deluxe\kernel\clml\CLMLSvc.exe"

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\13.0\sharedcom\RoxWatchTray13.exe"

mRun: [Desktop Disc Tool] "c:\program files\roxio 2011\roxio burn\RoxioBurnLauncher.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\users\tereasa\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip

StartupFolder: c:\users\tereasa\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 1 (0x1)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Pet%20Shop%20Hop/Images/stg_drm.ocx

DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Pet%20Shop%20Hop/Images/armhelper.ocx

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12

TCP: Interfaces\{78B00B6F-9B63-4446-A380-A52E3CB96C5A} : DhcpNameServer = 61.9.133.193 61.9.226.33

TCP: Interfaces\{88DEC9B9-E573-4634-B668-ED3BB6074735} : DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2011-1-20 21488]

R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2011-1-20 15856]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-8-2 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-8-2 744568]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110812.001\BHDrvx86.sys [2011-8-16 815736]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110902.030\IDSvix86.sys [2011-9-3 368248]

R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2011-1-20 25584]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-8-2 136312]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys [2011-8-2 331384]

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\app\SaibSVC.exe [2009-6-2 457200]

R2 BOT4Service;BOT4Service;c:\program files\roxio\backontrack\app\BService.exe [2010-8-31 39408]

R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2009-9-24 75048]

R2 CyberLink Media Server Monitor Service;CyberLink Media Server Monitor Service;c:\program files\acer arcade deluxe\acer homemedia connect\kernel\dms\CLMSMonitorService.exe [2009-9-24 58664]

R2 CyberLink Media Server Service;CyberLink Media Server Service;c:\program files\acer arcade deluxe\acer homemedia connect\kernel\dms\CLMSServer.exe [2009-9-24 292256]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-5 366640]

R2 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\drivers\mwlPSDFilter.sys [2008-10-10 19504]

R2 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\drivers\mwlPSDNserv.sys [2008-10-10 16432]

R2 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\drivers\mwlPSDVDisk.sys [2008-10-10 59952]

R2 MWLService;MyWinLocker Service;c:\program files\egistec\mywinlocker 3\x86\MWLService.exe [2008-10-28 306736]

R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\5.1.0.29\ccsvchst.exe [2011-8-2 130008]

R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-24 144632]

R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-29 275968]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-10-16 369256]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-8-2 105592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-5 22712]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-5-24 139368]

S2 0032011293219348mcinstcleanup;McAfee Application Installer Cleanup (0032011293219348); [x]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\13.0\sharedcom\RoxWatch13.exe [2010-7-16 354288]

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-14 39272]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-5 135664]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-10-2 7168]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-9-5 41272]

S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-24 50424]

S3 RoxMediaDB13;RoxMediaDB13;c:\program files\common files\roxio shared\13.0\sharedcom\RoxMediaDB13.exe [2010-7-16 1099248]

S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-7-8 27136]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2009-10-2 110080]

S4 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-3-2 2296696]

S4 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2011-4-15 718072]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2074-05-07 08:38:48 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe

2011-09-06 10:25:46 -------- d-----w- C:\Boot

2011-09-06 10:21:47 -------- d-----w- C:\$WINDOWS.~BT

2011-09-06 10:03:48 11936984 ----a-w- C:\WIM5488.tmp

2011-09-06 07:58:48 268435456 --sha-w- C:\WinPEpge.sys

2011-09-04 15:01:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-04 15:01:43 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-04 15:01:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-30 15:57:04 -------- d-----w- c:\users\tereasa\appdata\roaming\VistaCodecs

2011-08-30 15:56:59 -------- d-----w- c:\program files\VistaCodecPack

2011-08-30 15:55:59 -------- d-----w- c:\programdata\VistaCodecs

2011-08-30 14:39:47 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-08-29 17:55:43 -------- d-----w- c:\program files\common files\DivX Shared

2011-08-29 17:53:03 86016 ----a-w- c:\windows\unvise32.exe

2011-08-29 17:53:02 -------- d-----w- c:\windows\system32\QuickTime

2011-08-24 11:23:45 -------- d-----w- c:\users\tereasa\appdata\roaming\Origin

2011-08-24 11:23:43 -------- d-----w- c:\users\tereasa\appdata\local\Origin

2011-08-24 11:23:28 -------- d-----w- c:\programdata\Origin

2011-08-24 11:23:27 -------- d-----w- c:\program files\Origin Games

2011-08-24 11:23:19 -------- d-----w- c:\program files\Origin

2011-08-24 06:36:03 2048 ----a-w- c:\windows\system32\tzres.dll

2011-08-11 06:04:40 375808 ----a-w- c:\windows\system32\winsrv.dll

2011-08-11 06:04:39 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-08-11 06:04:39 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-08-11 06:04:37 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2011-08-11 06:04:34 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-08-11 06:04:18 913296 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-08-11 06:04:18 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

.

==================== Find3M ====================

.

2011-09-05 16:28:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-30 10:51:09 140496 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-08-30 10:51:00 280736 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-08-30 10:51:00 280736 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-08-30 10:48:35 215128 ----a-w- c:\windows\system32\PnkBstrB.ex0

2011-08-01 15:12:43 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-07-30 01:57:46 3999744 ----a-w- c:\windows\system32\x264vfw.dll

2011-07-25 07:57:18 75136 ----a-w- c:\windows\system32\PnkBstrA.exe

2011-07-25 06:37:32 138056 ----a-w- c:\users\tereasa\appdata\roaming\PnkBstrK.sys

2011-07-25 06:37:16 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe

2011-07-22 20:51:50 94208 ----a-w- c:\windows\system32\dpl100.dll

2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-21 18:00:00 1264128 ----a-w- c:\windows\system32\VSFilter.dll

2011-07-12 09:56:50 74752 ----a-w- c:\windows\system32\ff_vfw.dll

2011-07-07 07:37:39 319456 ----a-w- c:\windows\DIFxAPI.dll

2011-06-14 09:38:12 3520168 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys

2011-06-14 03:40:48 1483264 ----a-w- c:\windows\system32\RCoRes.dat

2011-06-13 09:04:16 1497704 ----a-w- c:\windows\system32\RTSndMgr.cpl

2011-06-10 07:35:28 357200 ----a-w- c:\windows\system32\KAAPORT.dll

.

============= FINISH: 3:08:23.00 ===============

Can Anyone Help Me please?

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

After we remove the malware, you'll have to change all of those passwords. Everything you saw in that text file has been stolen.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hello Screen317,

thanks for looking over my thread, After alot of contemplating i decided to just install Win 7 Ultimate since i had the disk just sitting there from my other computer.

So now i have installed win7 I have had nothing but clean scans, However there appears to be a windows.old folder on ACER (C:) i had a quick look through it and seen all my old folders from when i had vista.

Will the virus spread via that folder?, IF so is it safe to remove/How can i do so.

Thanks for your help

Link to post
Share on other sites

  • Staff

Hi,

What you did is an "over the top" reinstallation of Windows. Through this, the infected files still exist, but the infection may or may not necessarily be active.

I highly recommend that you instead format your entire hard drive then reinstall Windows 7. This was, the infections are all cleared and you can start with a truly clean slate.

Feel free to backup your data beforehand though.

Link to post
Share on other sites

Well, I didnt see any other options when installing win 7 for formatting.

Through some googling i found that using Windows disk cleanup and selecting previous windows installations it's deleted all that data for me.

Should we run some scans anyway just to be sure?.

My MBAM scans have all come up clean so far.

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.