Jump to content

open cloud av virus


Recommended Posts

I have recived this virus on october 2nd and looked at the post on how to deal with it. I have done everything that was asked but was stopped in my tracks when i tried to run the GMER rootkit scanner. Anything else that might work?

I forgot the DDS.txt and attach here they are

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24

Run by Bcool at 22:03:39 on 2011-10-04

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3573.2252 [GMT -4:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\4264732371:744082689.exe

C:\Windows\system32\aestsrv.exe

C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwssvc.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\PSIService.exe

C:\Windows\system32\STacSV.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

\\.\globalroot\Device\HarddiskVolume3\Users\Bcool\AppData\Local\Temp\win2119b744.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\MyWebSearch\bar\4.bin\M3SRCHMN.EXE

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Real\RealPlayer\Update\realsched.exe

C:\Program Files\SweetIM\Messenger\SweetIM.exe

C:\Windows\system32\igfxsrvc.exe

C:\Users\Public\Conduit\ConduitHelper\ConduitHelper.exe

C:\Windows\System32\quuuSS1ib.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Sony\Bloggie Software\BGVolumeWatcher.exe

C:\Users\Bcool\AppData\Local\Temp\win2119b744.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page =

uStart Page = hxxp://www.ask.com/?l=dis&o=14196

uSearch Bar =

mStart Page = hxxp://www.yahoo.com

mDefault_Page_URL = hxxp://www.yahoo.com

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant =

uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\4.bin\MWSSRCAS.DLL

uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\4.bin\MWSSRCAS.DLL

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\4.bin\MWSBAR.DLL

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2012\ievkbd.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2012\klwtbbho.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll

TB: {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - No File

TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\4.bin\MWSBAR.DLL

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll

TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Facebook Update] "c:\users\bcool\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [win2119b744] \\.\globalroot\Device\HarddiskVolume3\Users\Bcool\AppData\Local\Temp\win2119b744.exe

mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\4.bin\m3SrchMn.exe" /m=2 /w /h

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [sweetIM] c:\program files\sweetim\messenger\SweetIM.exe

mRun: [ConduitHelper] "c:\users\public\conduit\conduithelper\ConduitHelper.exe"

mRun: [zG44m66WJ7fE8gZ8234A] c:\windows\system32\quuuSS1ib.exe

mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2012\avp.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\users\bcool\appdata\roaming\micros~1\windows\startm~1\programs\startup\win211~1.lnk - c:\users\bcool\appdata\local\temp\win2119b744.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bloggi~1.lnk - c:\program files\sony\bloggie software\BGVolumeWatcher.exe

uPolicies-explorer: NoRealMode = 0 (0x0)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKfox000

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2012\ievkbd.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2012\klwtbbho.dll

LSP: mswsock.dll

Trusted Zone: fling.com\www

Trusted Zone: sumob.com\www

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Jigsaw%20Beach%20Holiday/Images/stg_drm.ocx

DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Aloha%20Solitaire/Images/armhelper.ocx

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{6B6D825D-9976-485F-8DB1-824181EB3835} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{7C80EC1E-71F8-41CB-B1B2-FE31D69ED998} : DhcpNameServer = 192.168.2.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

Notify: klogon - c:\windows\system32\klogon.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\bcool\appdata\roaming\mozilla\firefox\profiles\223i2dah.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Ask.com

FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=14196

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=

FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll

FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

FF - component: c:\program files\pricegong\2.0.0\ff\components\PriceLoadFF.dll

FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - component: c:\users\bcool\appdata\roaming\mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll

FF - component: c:\users\bcool\appdata\roaming\mozilla\firefox\profiles\223i2dah.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko19.dll

FF - component: c:\users\bcool\appdata\roaming\mozilla\firefox\profiles\223i2dah.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll

FF - plugin: c:\program files\mywebsearch\bar\firefox\NPMYWEBS.DLL

FF - plugin: c:\program files\sony\bloggie software\npsome.dll

FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\users\bcool\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\users\bcool\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\users\bcool\appdata\roaming\mozilla\firefox\profiles\223i2dah.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2011-3-4 11352]

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2011-3-10 23856]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-1-21 73728]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-4 366152]

R2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\4.bin\mwssvc.exe [2010-2-12 28762]

R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-4 22216]

S2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky internet security 2012\avp.exe [2011-4-24 202296]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]

S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [2009-2-1 101520]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]

S3 MBLAUDRV;Mobiola Audio Service;c:\windows\system32\drivers\BTCamAudioDrv.sys [2009-1-19 13312]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-10-05 02:00:31 -------- d-----w- c:\users\bcool\appdata\roaming\m55aQH66dK7fL9T

2011-10-05 02:00:30 -------- d-----w- c:\users\bcool\appdata\roaming\XyyAA0uvS2bFp

2011-10-05 01:03:03 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-05 01:03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-05 00:46:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-05 00:45:46 -------- d-----w- c:\users\bcool\appdata\roaming\Malwarebytes

2011-10-05 00:45:38 -------- d-----w- c:\programdata\Malwarebytes

2011-10-05 00:36:44 -------- d-----w- c:\users\bcool\appdata\roaming\zrrzzONtxA0uc2b

2011-10-05 00:36:44 -------- d-----w- c:\users\bcool\appdata\roaming\abFF33pnG5aQ6dK

2011-10-04 03:31:42 -------- d-----w- c:\users\bcool\appdata\roaming\PPP00uccS1iD3n

2011-10-04 03:31:42 -------- d-----w- c:\users\bcool\appdata\roaming\OK7f9ggTZqjYwkV

2011-10-04 03:26:01 439632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a018a54e-b647-465e-9b18-2dd007a3f73d}\gapaengine.dll

2011-10-04 03:25:15 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8e60c95a-c398-4217-8795-26f53907652f}\offreg.dll

2011-10-04 03:25:11 7269712 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8e60c95a-c398-4217-8795-26f53907652f}\mpengine.dll

2011-10-04 03:14:02 -------- d-----w- c:\program files\Microsoft Security Client

2011-10-04 02:18:39 -------- d-----w- c:\users\bcool\appdata\roaming\TONtxP0uc1b3n4m

2011-10-04 02:18:39 -------- d-----w- c:\users\bcool\appdata\roaming\jsWJ7fEL8TqYwUr

2011-10-04 02:10:09 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{8a4ff427-5461-4bbe-ac53-b8705d2372ea}\mpengine.dll

2011-10-04 02:06:52 -------- d-----w- c:\users\bcool\appdata\roaming\NrrrlOONtxPuS1b

2011-10-04 02:06:51 -------- d-----w- c:\users\bcool\appdata\roaming\j999gTTZqjYwk

2011-10-04 02:05:17 97859 ----a-w- c:\windows\system32\drivers\klick.dat

2011-10-04 02:05:17 115369 ----a-w- c:\windows\system32\drivers\klin.dat

2011-10-04 02:02:46 -------- d-----w- c:\program files\Kaspersky Lab

2011-10-04 01:32:38 -------- d-----w- c:\users\bcool\appdata\roaming\TbFF33pmG5aQ6dK

2011-10-03 01:46:06 -------- d-----w- c:\users\bcool\appdata\roaming\sOONttxP0ucSib3

2011-10-03 01:45:56 2400768 ----a-w- c:\windows\system32\quuuSS1ib.exe

2011-10-03 01:45:40 2400768 ----a-w- c:\users\bcool\appdata\roaming\java.exe

2011-10-03 01:25:39 -------- d-----w- c:\users\bcool\appdata\roaming\YqqjjYCCek

2011-10-03 01:25:39 -------- d-----w- c:\users\bcool\appdata\roaming\waQQHH6dWK7fL9T

2011-10-03 01:25:31 -------- d-----w- c:\users\bcool\appdata\roaming\WccSS1iivD3nFam

2011-10-03 01:25:31 -------- d-----w- c:\users\bcool\appdata\roaming\RJJJ7ffEL8gTqhC

2011-09-27 01:47:06 102439 ----a-w- c:\windows\system32\sipr3260.dll

2011-09-27 01:47:05 65602 ----a-w- c:\windows\system32\cook3260.dll

2011-09-27 01:47:05 626688 ----a-w- c:\windows\system32\vp7vfw.dll

2011-09-27 01:47:05 217127 ----a-w- c:\windows\system32\drv43260.dll

2011-09-27 01:47:05 208935 ----a-w- c:\windows\system32\drv33260.dll

2011-09-27 01:47:05 176165 ----a-w- c:\windows\system32\drv23260.dll

2011-09-27 01:47:05 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll

2011-09-27 01:47:02 -------- d-----w- c:\program files\VSO

2011-09-22 01:59:36 -------- d-----w- c:\program files\uTorrentBar

2011-09-22 01:58:53 -------- d-----w- c:\program files\uTorrent

2011-09-22 01:57:51 -------- d-----w- c:\users\bcool\appdata\local\uTorrent

2011-09-22 01:57:50 -------- d-----w- c:\users\bcool\appdata\roaming\uTorrent

2011-09-16 00:59:30 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2011-09-07 01:31:03 -------- d-----w- c:\program files\VideoLAN

2011-09-07 01:26:12 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2011-09-07 01:26:01 -------- d-----w- c:\users\bcool\appdata\local\Conduit

2011-09-07 01:12:57 221568 ----a-w- c:\windows\system32\drivers\netio.sys

.

==================== Find3M ====================

.

2011-09-25 03:58:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-07 01:43:39 87608 ----a-w- c:\users\bcool\appdata\roaming\inst.exe

2011-09-07 01:43:39 47360 ----a-w- c:\users\bcool\appdata\roaming\pcouffin.sys

2011-08-15 04:11:55 107888 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll

2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll

2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-11 13:25:35 2048 ----a-w- c:\windows\system32\tzres.dll

.

============= FINISH: 22:04:51.77 ===============

Any help would be greatly appreciated.

Malwarebytes did not detect anything.

Thanks!

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:23:37 PM, on 10/4/2011

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18904)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://idm.east.cox.net/coxlogin/ui/webmail?TARGET=-SM-https%3A%2F%2Fwebmail.east.cox.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110509190908.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [Lahvwjkcn] rundll32 "C:\Users\Stacey\AppData\Roaming\12520850Q.dll",imojerox

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: QuickSet.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe

--

End of file - 7261 bytes

ReRan a full MalwareBytes scan and a McAfee Virus scan and still comes up clean.

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.