Jump to content


[RESOLVED] Trojan after trying to help someone

Started By oldtrig, Sep 05 2011 07:55 PM

  • You cannot start a new topic
  • You cannot reply to this topic
8 replies to this topic

#1 oldtrig

    Member

  • 216 posts
  • Joined: April 06, 2010
  • 24 topics
  • Age: 64
  • Skin: IP.Board
  • Local time: 07:35 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 11h 45m 21s

Posted 05 September 2011 - 07:55 PM

I connected a hard drive that came from a laptop to my pc trying to get pictures for the friend. In doing that I got infected on my pc. Microsoft essentials found the trojan and fixed it but I wanted someone to take a look and see if my pc is clean. I installed windows 7 64 bit on my pc last month and it was clean before this nasty trojan jumped on here. Here are the files I think you need. I formatted the infected drive to be sure this does not happen again. I was able to get his info on it first. Tom
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-05 14:45:30
Windows 6.1.7601 Service Pack 1
Running: gmer.exe

---- Files - GMER 1.0.15 ----
File C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\Low\E4SPJEDZ.txt 707 bytes
---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Tom at 14:22:37 on 2011-09-05
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6142.4804 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10v_ActiveX.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - C:\Program Files (x86)\WOT\WOT.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - C:\Program Files (x86)\WOT\WOT.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 24.177.176.38
TCP: Interfaces\{EAD2F13D-31D0-4ACE-8F2D-87E433977EC3} : DhcpNameServer = 208.67.222.222 208.67.220.220 24.177.176.38
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2011-7-18 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-8-6 2255464]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-8-1 136176]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-4-1 183560]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-8-1 136176]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-09-05 15:16:35 -------- d-----w- C:\Users\Tom\AppData\Local\{2A1ECC8F-EDE9-418B-BE48-23FBD306EEAD}
2011-09-05 15:16:25 -------- d-----w- C:\Users\Tom\AppData\Local\{CB78A16E-027F-4573-9935-5BF38FFAB238}
2011-09-04 18:36:11 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{31A3F174-9A4C-496C-B53B-8C5E21594CF5}\mpengine.dll
2011-08-28 01:01:54 -------- d-----w- C:\cabs
2011-08-23 22:07:17 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-23 22:07:17 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-08-19 22:19:08 -------- d-----w- C:\Program Files (x86)\WOT
2011-08-19 22:17:14 -------- d-----w- C:\Windows\System32\appmgmt
2011-08-11 23:41:02 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-08-11 23:41:00 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7C0991BB-CC53-48BC-806C-1A43446B2BE9}\gapaengine.dll
2011-08-08 10:53:21 -------- d-----w- C:\Users\Tom\AppData\Local\{AF70076C-8316-47D5-BDEE-4B9B550C3155}
2011-08-08 10:53:11 -------- d-----w- C:\Users\Tom\AppData\Local\{D6906165-E5E8-405D-A455-D96BC0950C98}
2011-08-07 20:52:42 -------- d-----w- C:\Users\Tom\AppData\Local\{77769EC4-E87E-4F70-BAC7-F0C6AD419668}
2011-08-07 20:52:31 -------- d-----w- C:\Users\Tom\AppData\Local\{DA2A8ED8-BF42-419C-B6F7-C4A4731F0A6C}
2011-08-07 20:15:00 -------- d-----w- C:\Users\Tom\AppData\Local\{0CB52ECE-17EA-4160-A504-6ECDEFC298F0}
2011-08-07 18:32:34 -------- d-----w- C:\Users\Tom\AppData\Local\{DF335D1D-189E-4669-9DD8-8059A5B68FED}
2011-08-07 18:32:24 -------- d-----w- C:\Users\Tom\AppData\Local\{9E1AEDAC-B098-4F0B-869C-E8C1BBF2D42C}
2011-08-07 03:17:16 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2011-08-07 03:17:08 61544 ----a-w- C:\Windows\System32\nvshext.dll
2011-08-07 03:17:08 3021416 ----a-w- C:\Windows\System32\nvsvc64.dll
2011-08-07 03:17:07 980072 ----a-w- C:\Windows\System32\nvvsvc.exe
2011-08-07 03:17:07 836200 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll
2011-08-07 03:17:07 6136936 ----a-w- C:\Windows\System32\nvcpl.dll
2011-08-07 03:17:07 117864 ----a-w- C:\Windows\System32\nvmctray.dll
2011-08-07 03:16:47 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2011-08-07 03:16:13 2758760 ----a-w- C:\Windows\System32\nvapi64.dll
2011-08-07 03:16:13 2412136 ----a-w- C:\Windows\SysWow64\nvapi.dll
2011-08-07 03:16:13 1496168 ----a-w- C:\Windows\System32\nvdispco6420150.dll
2011-08-07 03:16:13 1427048 ----a-w- C:\Windows\System32\nvgenco642090.dll
2011-08-07 03:16:13 12392 ----a-w- C:\Windows\System32\drivers\nvBridge.kmd
2011-08-07 03:15:57 -------- d-----w- C:\Program Files\NVIDIA Corporation
2011-08-07 03:15:21 -------- d-----w- C:\NVIDIA
2011-08-07 01:46:03 -------- d-----w- C:\Users\Tom\AppData\Local\{2F3755D3-75B5-4CFB-B7B9-1B0C69AD3094}
2011-08-07 01:45:52 -------- d-----w- C:\Users\Tom\AppData\Local\{BCA4FEF2-5219-4E3E-A0EE-E9E68C68915C}
2011-08-07 01:15:37 -------- d-----w- C:\Users\Tom\AppData\Local\{8BC52A44-5BFF-4BF9-A5ED-1F20F8A62D6C}
2011-08-06 20:58:33 -------- d-----w- C:\Users\Tom\AppData\Local\{CBDB8F4D-9C7D-443E-B649-41CD94C473E9}
2011-08-06 20:58:23 -------- d-----w- C:\Users\Tom\AppData\Local\{3D7FC0AC-A794-4E32-B69B-8E4F99C89820}
2011-08-06 19:32:44 -------- d-----w- C:\Users\Tom\AppData\Local\{B0493A38-C99C-42E6-8A36-FC0EAFE7FF8B}
.
==================== Find3M ====================
.
2011-08-15 00:53:46 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-05 02:30:01 185 ----a-w- C:\Windows\SysWow64\msblcd32.dll
2011-08-05 02:29:52 662288 ----a-w- C:\Windows\SysWow64\MSCOMCT2.OCX
2011-08-05 02:29:52 212240 ----a-w- C:\Windows\SysWow64\RICHTX32.OCX
2011-08-05 02:29:52 124688 ----a-w- C:\Windows\SysWow64\MSWINSCK.OCX
2011-08-05 02:29:51 67376 ----a-w- C:\Windows\SysWow64\SYSINFO.OCX
2011-08-05 02:29:51 152848 ----a-w- C:\Windows\SysWow64\COMDLG32.OCX
2011-08-05 02:29:50 1081616 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2011-07-29 02:50:57 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-07-07 00:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 14:23:04.49 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/28/2011 5:36:11 PM
System Uptime: 9/5/2011 11:55:13 AM (3 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | 965P-DS3
Processor: Intel® Core™2 CPU 4300 @ 1.80GHz | Socket 775 | 1800/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 931 GiB total, 895.282 GiB free.
D: is FIXED (NTFS) - 92 GiB total, 91.604 GiB free.
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96a-e325-11ce-bfc1-08002be10318}
Description: Standard Dual Channel PCI IDE Controller
Device ID: PCI\VEN_197B&DEV_2363&SUBSYS_B0001458&REV_02\4&7AC17DB&0&00E3
Manufacturer: (Standard IDE ATA/ATAPI controllers)
Name: Standard Dual Channel PCI IDE Controller
PNP Device ID: PCI\VEN_197B&DEV_2363&SUBSYS_B0001458&REV_02\4&7AC17DB&0&00E3
Service: pciide
.
==== System Restore Points ===================
.
RP35: 8/15/2011 6:55:21 PM - Installed NVIDIA 3D Vision Controller Driver
RP36: 8/18/2011 5:45:12 AM - Windows Update
RP37: 8/19/2011 5:16:39 PM - Removed WOT for Internet Explorer
RP38: 8/19/2011 5:17:27 PM - Removed WOT for Internet Explorer
RP39: 8/19/2011 5:18:54 PM - Installed WOT for Internet Explorer
RP40: 8/22/2011 3:53:20 PM - Windows Update
RP41: 8/24/2011 3:00:13 AM - Windows Update
RP42: 8/27/2011 7:07:26 PM - Windows Update
RP43: 8/31/2011 5:36:27 PM - Windows Update
RP44: 9/4/2011 2:02:06 AM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
Bing Bar
BufferChm
C4400
Copy
D3DX10
Destinations
DeviceDiscovery
DocProc
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService2
HP Update
HPPhotoGadget
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSSupply
ieSpell
Java Auto Updater
Java™ 6 Update 26
Junk Mail filter update
Malwarebytes' Anti-Malware version 1.51.1.1800
MarketResearch
Mesh Runtime
Messenger Companion
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA 3D Vision Controller Driver
PS_AIO_03_C4400_Software_Min
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SmartWebPrinting
SolutionCenter
Status
Toolbox
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2586924)
WebReg
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WOT for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
9/5/2011 12:15:52 PM, Error: volsnap [10] - The shadow copy of volume D: took too long to install.
9/5/2011 11:55:44 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
9/3/2011 1:31:13 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
9/1/2011 6:19:54 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
8/30/2011 5:31:11 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
.
==== End Of File ===========================
aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-05 14:24:12
-----------------------------
14:24:12.872 OS Version: Windows x64 6.1.7601 Service Pack 1
14:24:12.872 Number of processors: 2 586 0xF02
14:24:12.872 ComputerName: TOM-PC UserName: Tom
14:24:15.742 Initialize success
14:24:28.158 Disk 0 \Device\Harddisk0\DR3 -> \Device\Ide\IdeDeviceP1T0L0-1
14:24:28.158 Disk 0 Vendor: FUJITSU_MHW2100BH 00000012 Size: 95396MB BusType: 3
14:24:28.158 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0
14:24:28.158 Disk 1 Vendor: ST31000528AS CC38 Size: 953868MB BusType: 3
14:24:30.202 Disk 1 MBR read successfully
14:24:30.202 Disk 1 MBR scan
14:24:30.202 Disk 1 Windows 7 default MBR code
14:24:30.202 Service scanning
14:24:30.576 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
14:24:31.231 Modules scanning
14:24:31.231 Disk 1 trace - called modules:
14:24:31.231 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
14:24:31.247 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8005e2f550]
14:24:31.247 3 CLASSPNP.SYS[fffff88001b6b43f] -> nt!IofCallDriver -> [0xfffffa80059822d0]
14:24:31.247 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8005cb5060]
14:24:31.262 Scan finished successfully
14:24:52.790 Disk 1 MBR has been saved successfully to "C:\Users\Tom\Desktop\MBR.dat"
14:24:52.790 The log file has been saved successfully to "C:\Users\Tom\Desktop\aswMBR.txt"

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7658
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
9/5/2011 2:17:46 PM
mbam-log-2011-09-05 (14-17-46).txt
Scan type: Quick scan
Objects scanned: 185741
Time elapsed: 1 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

#2 oldtrig Re: [RESOLVED] Trojan after trying to help someone

    Member

  • 216 posts
  • Joined: April 06, 2010
  • 24 topics
  • Age: 64
  • Skin: IP.Board
  • Local time: 07:35 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 11h 45m 21s

Posted 05 September 2011 - 07:57 PM

Here is what the trojan looked like in the antivirus
I marked over some of the text because it was bad

Attached Images

  • Attached Image: trojan.jpg

#3 Broni Re: [RESOLVED] Trojan after trying to help someone

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 12:35 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 10h 30m 28s

Posted 05 September 2011 - 08:01 PM

So far looks clean...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Posted Image Posted Image


#4 oldtrig Re: [RESOLVED] Trojan after trying to help someone

    Member

  • 216 posts
  • Joined: April 06, 2010
  • 24 topics
  • Age: 64
  • Skin: IP.Board
  • Local time: 07:35 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 11h 45m 21s

Posted 05 September 2011 - 08:47 PM

I got error message now when I tried to open internet explorer.
Illegal operation attempted on a registry key that has been marked for deletion.
I had to reboot in order to use google chrome. Here is the combo log. I sure hope I can get my internet explorer back. Google Chrome would not work until I rebooted but no internet explorer to be found


ComboFix 11-09-05.05 - Tom 09/05/2011 15:28:41.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6142.4683 [GMT -5:00]
Running from: c:\users\Tom\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\msblcd32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))
.
.
2011-09-04 18:36 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{31A3F174-9A4C-496C-B53B-8C5E21594CF5}\mpengine.dll
2011-08-28 01:01 . 2011-08-28 01:01 -------- d-----w- C:\cabs
2011-08-23 22:07 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-23 22:07 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-08-19 22:19 . 2011-08-19 22:19 -------- d-----w- c:\program files (x86)\WOT
2011-08-19 22:17 . 2011-08-19 22:17 -------- d-----w- c:\windows\system32\appmgmt
2011-08-11 23:41 . 2011-07-30 01:22 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-08-11 23:41 . 2011-07-30 01:22 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7C0991BB-CC53-48BC-806C-1A43446B2BE9}\gapaengine.dll
2011-08-07 03:17 . 2011-08-28 01:18 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2011-08-07 03:17 . 2011-08-07 03:17 -------- d-----w- c:\users\UpdatusUser
2011-08-07 03:17 . 2011-08-07 03:17 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2011-08-07 03:17 . 2011-08-15 23:55 -------- d-----w- c:\programdata\NVIDIA
2011-08-07 03:17 . 2011-08-03 11:50 61544 ----a-w- c:\windows\system32\nvshext.dll
2011-08-07 03:17 . 2011-08-03 11:50 3021416 ----a-w- c:\windows\system32\nvsvc64.dll
2011-08-07 03:17 . 2011-08-03 11:50 980072 ----a-w- c:\windows\system32\nvvsvc.exe
2011-08-07 03:17 . 2011-08-03 11:50 836200 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-08-07 03:17 . 2011-08-03 11:50 6136936 ----a-w- c:\windows\system32\nvcpl.dll
2011-08-07 03:17 . 2011-08-03 11:50 117864 ----a-w- c:\windows\system32\nvmctray.dll
2011-08-07 03:16 . 2011-08-07 03:16 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-08-07 03:16 . 2011-08-03 11:50 2758760 ----a-w- c:\windows\system32\nvapi64.dll
2011-08-07 03:16 . 2011-08-03 11:50 2412136 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-08-07 03:16 . 2011-05-25 06:09 1496168 ----a-w- c:\windows\system32\nvdispco6420150.dll
2011-08-07 03:16 . 2011-05-25 06:09 1427048 ----a-w- c:\windows\system32\nvgenco642090.dll
2011-08-07 03:16 . 2011-05-25 06:09 12392 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-08-07 03:15 . 2011-08-15 23:55 -------- d-----w- c:\program files\NVIDIA Corporation
2011-08-07 03:15 . 2011-08-07 03:15 -------- d-----w- C:\NVIDIA
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-15 00:53 . 2011-07-28 23:17 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-12 04:10 . 2011-07-31 01:50 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-05 02:29 . 2011-08-05 02:29 662288 ----a-w- c:\windows\SysWow64\MSCOMCT2.OCX
2011-08-05 02:29 . 2011-08-05 02:29 212240 ----a-w- c:\windows\SysWow64\RICHTX32.OCX
2011-08-05 02:29 . 2011-08-05 02:29 124688 ----a-w- c:\windows\SysWow64\MSWINSCK.OCX
2011-08-05 02:29 . 2011-08-05 02:29 67376 ----a-w- c:\windows\SysWow64\SYSINFO.OCX
2011-08-05 02:29 . 2011-08-05 02:29 152848 ----a-w- c:\windows\SysWow64\COMDLG32.OCX
2011-08-05 02:29 . 2002-12-20 19:02 1081616 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2011-08-03 11:50 . 2009-07-13 21:59 15064168 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-08-03 11:50 . 2009-06-10 20:37 12636776 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-07-29 02:50 . 2011-07-29 02:51 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-07-29 00:46 . 2011-03-28 23:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-07-28 22:41 . 2011-07-28 22:41 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-07-28 22:41 . 2011-07-28 22:41 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-07-28 22:41 . 2011-07-28 22:41 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-07-28 22:41 . 2011-07-28 22:41 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-07-28 22:41 . 2011-07-28 22:41 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-07-28 22:41 . 2011-07-28 22:41 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-07-28 22:41 . 2011-07-28 22:41 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-07-28 22:41 . 2011-07-28 22:41 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-07-28 22:41 . 2011-07-28 22:41 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-07-28 22:41 . 2011-07-28 22:41 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-07-28 22:41 . 2011-07-28 22:41 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-07-28 22:41 . 2011-07-28 22:41 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-07-28 22:41 . 2011-07-28 22:41 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-07-28 22:41 . 2011-07-28 22:41 448512 ----a-w- c:\windows\system32\html.iec
2011-07-28 22:41 . 2011-07-28 22:41 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-07-28 22:41 . 2011-07-28 22:41 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-07-28 22:41 . 2011-07-28 22:41 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-07-28 22:41 . 2011-07-28 22:41 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-28 22:41 . 2011-07-28 22:41 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-07-28 22:41 . 2011-07-28 22:41 222208 ----a-w- c:\windows\system32\msls31.dll
2011-07-28 22:41 . 2011-07-28 22:41 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-28 22:41 . 2011-07-28 22:41 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-07-28 22:41 . 2011-07-28 22:41 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-07-28 22:41 . 2011-07-28 22:41 160256 ----a-w- c:\windows\system32\wextract.exe
2011-07-28 22:41 . 2011-07-28 22:41 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-07-28 22:41 . 2011-07-28 22:41 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-07-28 22:41 . 2011-07-28 22:41 1492992 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-28 22:41 . 2011-07-28 22:41 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-07-28 22:41 . 2011-07-28 22:41 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-07-28 22:41 . 2011-07-28 22:41 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-07-28 22:41 . 2011-07-28 22:41 12288 ----a-w- c:\windows\system32\mshta.exe
2011-07-28 22:41 . 2011-07-28 22:41 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-07-28 22:41 . 2011-07-28 22:41 114176 ----a-w- c:\windows\system32\admparse.dll
2011-07-28 22:41 . 2011-07-28 22:41 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-28 22:41 . 2011-07-28 22:41 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-07-28 22:41 . 2011-07-28 22:41 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-07-20 14:44 . 2011-07-29 10:33 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CB9ECB54-6696-44FD-B483-1D631D574115}\mpengine.dll
2011-07-16 04:26 . 2011-08-10 00:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-07-07 00:52 . 2011-07-30 01:36 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2011-07-30 01:36 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-11 03:07 . 2011-07-28 23:14 3137536 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-02 136176]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-02 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-19 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-02 00:40]
.
2011-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-02 00:40]
.
2011-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2271397114-3413432573-1654361976-1000Core.job
- c:\users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-29 00:54]
.
2011-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2271397114-3413432573-1654361976-1000UA.job
- c:\users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-29 00:54]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 24.177.176.38
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2271397114-3413432573-1654361976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2271397114-3413432573-1654361976-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-2271397114-3413432573-1654361976-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.vcf"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
.
**************************************************************************
.
Completion time: 2011-09-05 15:35:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-05 20:35
.
Pre-Run: 961,187,622,912 bytes free
Post-Run: 961,024,376,832 bytes free
.
- - End Of File - - 821908606714D461BBC15D25CA6F7C36

#5 Broni Re: [RESOLVED] Trojan after trying to help someone

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 12:35 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 10h 30m 28s

Posted 05 September 2011 - 08:53 PM

Quote

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Combofix looks good.

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.

Posted Image Posted Image


#6 oldtrig Re: [RESOLVED] Trojan after trying to help someone

    Member

  • 216 posts
  • Joined: April 06, 2010
  • 24 topics
  • Age: 64
  • Skin: IP.Board
  • Local time: 07:35 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 11h 45m 21s

Posted 05 September 2011 - 09:34 PM

ESET No threats found

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.183.5
Adobe Reader X (10.1.0)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

#7 Broni Re: [RESOLVED] Trojan after trying to help someone

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 12:35 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 10h 30m 28s

Posted 05 September 2011 - 09:36 PM

Update your Java version here: http://www.java.com/...d/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

==================================================================================

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/v...ning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingc.../topic2520.html

13. Please, let me know, how your computer is doing.
Posted Image Posted Image


#8 oldtrig Re: [RESOLVED] Trojan after trying to help someone

    Member

  • 216 posts
  • Joined: April 06, 2010
  • 24 topics
  • Age: 64
  • Skin: IP.Board
  • Local time: 07:35 AM
  • Zodiac:Aquarius
  • Gender:Male
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 11h 45m 21s

Posted 05 September 2011 - 10:48 PM

Thanks Broni, it is running great again. I will watch it next time I connect someone's drive to mine. Thanks again. Tom

#9 Broni Re: [RESOLVED] Trojan after trying to help someone

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 12:35 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 10h 30m 28s

Posted 05 September 2011 - 10:54 PM

Way to go!! Posted Image
Good luck and stay safe :)
Posted Image Posted Image


Back to Virus, Spyware and Malware Removal · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


This topic has been visited by 8 user(s)

  1. Smartest Computing
  2. > Security
  3. > Virus, Spyware and Malware Removal
  4. SmartestComputing rules