Jump to content

DC3_FEXEC Wont be removed


fv9

Recommended Posts

Alright guys,

Ran a virus scan since the system was feeling pretty sluggish. Came up with 3 results in MBAM:

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Folders Detected: 1

C:\Users\Dave\AppData\Local\Temp\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 1

C:\Users\Dave\AppData\Local\Temp\dclogs\2012-09-12-4.dc (Stolen.Data) -> Quarantined and deleted successfully.

Deleted them and rebooted, file's instantly came back. Quite certain I was hit by a Java Exploit (had to install Java to view some shady website, which then didn't load after installing Java) aswell, so I've removed Java from the system.

Full MBAM/HiJackThis logs:

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.07.13

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Dave :: DESKTOP [administrator]

Protection: Enabled

12/09/2012 13:30:50

mbam-log-2012-09-12 (13-30-50).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 190820

Time elapsed: 3 minute(s),

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 1

C:\Users\Dave\AppData\Local\Temp\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 1

C:\Users\Dave\AppData\Local\Temp\dclogs\2012-09-12-4.dc (Stolen.Data) -> Quarantined and deleted successfully.

(end)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:41:49, on 12/09/2012

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Users\Dave\AppData\Roaming\MyFolder\nsCfg.exe

C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe

C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe,

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [xhost] C:\Users\Dave\AppData\Roaming\MyFolder\xhost.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O17 - HKLM\System\CCS\Services\Tcpip\..\{4FB483C5-4518-4085-A53F-6354E44AA75B}: NameServer = 8.8.8.8,8.8.4.4

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 6079 bytes

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

DDS:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385

Run by Dave at 13:48:08 on 2012-09-12

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.1023.108 [GMT 1:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\system32\SearchIndexer.exe

C:\Users\Dave\AppData\Roaming\MyFolder\nsCfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\notepad.exe

C:\Windows\system32\msiexec.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe

C:\Windows\notepad.exe

C:\Users\Dave\Downloads\mseinstall.exe

e:\fb6e6667cea029fb2c90715b\epplauncher.exe

e:\fb6e6667cea029fb2c90715b\amd64\Setup.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit=userinit.exe,

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [xhost] C:\Users\Dave\AppData\Roaming\MyFolder\xhost.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

TCP: DhcpNameServer = 192.168.1.1 192.168.1.1

TCP: Interfaces\{4FB483C5-4518-4085-A53F-6354E44AA75B} : NameServer = 8.8.8.8,8.8.4.4

TCP: Interfaces\{F573C787-02CB-4B80-92A6-B7F8E94D4F58} : DhcpNameServer = 192.168.1.1 192.168.1.1

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\qp3o2ox3.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

============= SERVICES / DRIVERS ===============

.

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-12 399432]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-12 676936]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 rt61x64;RT61 Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr6164.sys --> C:\Windows\system32\DRIVERS\netr6164.sys [?]

S3 massfilter;ZTE Mass Storage Filter Driver;C:\Windows\system32\drivers\massfilter.sys --> C:\Windows\system32\drivers\massfilter.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-8-13 113120]

S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]

S3 netr7364;Conceptronic RT73 Wireles Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]

.

=============== Created Last 30 ================

.

2012-09-12 12:40:06 388096 ----a-r- C:\Users\Dave\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-09-12 12:40:06 -------- d-----w- C:\Program Files (x86)\Trend Micro

2012-09-12 12:11:33 -------- d-----w- C:\Users\Dave\AppData\Roaming\Malwarebytes

2012-09-12 12:11:25 -------- d-----w- C:\ProgramData\Malwarebytes

2012-09-12 12:11:24 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-09-12 12:11:24 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-12 11:59:15 696320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll

2012-09-12 11:59:15 57344 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll

2012-09-12 11:59:15 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe

2012-09-12 11:59:15 237568 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll

2012-09-12 11:59:15 155648 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll

2012-09-12 11:59:13 282756 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll

2012-09-12 11:59:13 163972 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll

2012-09-12 09:53:22 -------- d-----w- C:\Users\Dave\AppData\Roaming\MyFolder

2012-09-12 09:53:04 791040 ----a-w- C:\Users\Dave\xhostsvc.exe

2012-09-12 09:52:30 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-09-12 09:52:30 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-09-11 19:52:45 -------- d-----w- C:\Program Files (x86)\Native Instruments

2012-09-08 23:50:15 -------- d-----w- C:\Windows\W7SBC

2012-09-08 23:50:14 2868224 ----a-w- C:\Windows\explorer_edit_w7sbc.exe

2012-09-08 23:50:14 2868224 ----a-w- C:\Windows\explorer_backup_w7sbc.exe

2012-09-08 23:50:14 2385408 ----a-w- C:\Windows\explorer.exe

2012-09-08 23:19:56 -------- d-----w- C:\Program Files\CCleaner

2012-09-08 23:15:27 -------- d-----w- C:\Users\Dave\Space

2012-09-08 23:14:30 -------- d-----w- C:\Program Files (x86)\IMG Tool

2012-09-08 22:58:59 -------- d-----w- C:\Program Files (x86)\TXD Workshop

2012-09-07 16:01:45 98304 ----a-w- C:\Windows\SysWow64\CmdLineExt.dll

2012-09-07 14:15:45 -------- d-----w- C:\Users\Dave\Tracing

2012-09-07 14:14:15 -------- d-----w- C:\Program Files (x86)\Microsoft

2012-09-07 14:13:52 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive

2012-09-07 14:13:07 -------- d-----w- C:\Windows\PCHEALTH

2012-09-07 14:10:08 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live

2012-09-07 11:02:17 438784 ----a-w- C:\Windows\System32\drivers\netr6164.sys

2012-09-07 11:02:17 303616 ----a-w- C:\Windows\System32\RaCoInstx.dll

2012-09-07 11:02:17 -------- d-----w- C:\ProgramData\Ralink Driver

2012-09-06 22:46:18 749568 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iKernel.dll

2012-09-06 22:46:18 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ctor.dll

2012-09-06 22:46:18 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe

2012-09-06 22:46:18 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iscript.dll

2012-09-06 22:46:18 180224 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iuser.dll

2012-09-06 22:46:16 323716 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll

2012-09-06 22:46:16 192644 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll

2012-09-03 11:50:56 -------- d-----w- C:\Program Files (x86)\Rockstar Games

2012-09-03 11:50:47 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

2012-09-02 14:17:51 -------- d-----w- C:\ProgramData\Birdstep Technology

2012-09-02 14:17:42 119680 ----a-w- C:\Windows\System32\drivers\ZTEusbser6k.sys

2012-09-02 14:17:42 119680 ----a-w- C:\Windows\System32\drivers\ZTEusbnmea.sys

2012-09-02 14:17:42 119680 ----a-w- C:\Windows\System32\drivers\ZTEusbmdm6k.sys

2012-09-02 14:17:42 11776 ----a-w- C:\Windows\System32\drivers\massfilter.sys

2012-09-01 18:08:00 -------- d-----w- C:\Program Files\CPUID

2012-09-01 14:05:13 -------- d-----w- C:\Windows\pss

2012-08-18 21:02:40 -------- d-----w- C:\Users\Dave\AppData\Local\Sony

2012-08-18 18:53:01 -------- d-----w- C:\Fraps

2012-08-16 22:53:22 -------- d-----w- C:\Users\Dave\AppData\Roaming\foobar2000

2012-08-16 22:52:32 -------- d-----w- C:\Program Files (x86)\foobar2000

2012-08-16 20:16:06 -------- d-----w- C:\Users\Dave\AppData\Local\Adobe

2012-08-16 20:11:13 -------- d-----w- C:\Program Files (x86)\Adobe Photoshop CS3

2012-08-16 18:05:54 283200 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys

2012-08-16 18:05:50 -------- d-----w- C:\Users\Dave\AppData\Roaming\DAEMON Tools Lite

2012-08-16 18:05:48 -------- d-----w- C:\Program Files (x86)\DAEMON Tools Lite

2012-08-16 18:02:52 -------- d-----w- C:\ProgramData\DAEMON Tools Lite

2012-08-16 14:30:01 2851328 ----a-w- C:\Windows\System32\themeui.dll.backup

2012-08-16 14:29:59 332288 ----a-w- C:\Windows\System32\uxtheme.dll.backup

2012-08-16 14:29:56 44544 ----a-w- C:\Windows\System32\themeservice.dll.backup

2012-08-15 23:42:34 -------- d-----w- C:\Program Files (x86)\VideoLAN

2012-08-15 19:08:05 -------- d-----w- C:\Users\Dave\AppData\Roaming\NVIDIA

2012-08-15 19:07:08 -------- d-----w- C:\Program Files\Speccy

2012-08-15 01:13:38 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8466F2E9-B9B1-47D8-B2D4-E00CC248D97E}\offreg.dll

2012-08-14 14:40:14 -------- d-----w- C:\Users\Dave\AppData\Roaming\Image-Line

2012-08-14 14:33:00 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll

2012-08-14 14:33:00 1700352 ----a-w- C:\Windows\SysWow64\gdiplus.dll

2012-08-14 14:33:00 1060864 ----a-w- C:\Windows\SysWow64\mfc71.dll

2012-08-14 14:20:15 225280 ----a-w- C:\Windows\SysWow64\rewire.dll

2012-08-14 14:19:57 1554944 ----a-w- C:\Windows\SysWow64\vorbis.acm

2012-08-14 14:00:40 -------- d-----w- C:\Program Files (x86)\uTorrent

2012-08-14 14:00:19 -------- d-----w- C:\Users\Dave\AppData\Roaming\uTorrent

2012-08-14 03:03:11 -------- d-----w- C:\Program Files (x86)\VirtualDJ

2012-08-14 03:02:19 -------- d-sh--w- C:\Windows\Installer

2012-08-14 02:38:37 -------- d-----w- C:\Windows\Panther

2012-08-14 00:16:20 -------- d-----w- C:\Users\Dave\Blaze

2012-08-13 21:38:10 63296 ----a-w- C:\Windows\System32\nvshext.dll

2012-08-13 21:38:08 889664 ----a-w- C:\Windows\System32\nvvsvc.exe

2012-08-13 21:38:08 6151488 ----a-w- C:\Windows\System32\nvcpl.dll

2012-08-13 21:38:08 3149632 ----a-w- C:\Windows\System32\nvsvc64.dll

2012-08-13 21:38:08 2561856 ----a-w- C:\Windows\System32\nvsvcr.dll

2012-08-13 21:38:08 118080 ----a-w- C:\Windows\System32\nvmctray.dll

2012-08-13 21:37:37 68928 ----a-w- C:\Windows\System32\OpenCL.dll

2012-08-13 21:37:37 61248 ----a-w- C:\Windows\SysWow64\OpenCL.dll

2012-08-13 21:35:26 -------- d-----w- C:\Program Files\NVIDIA Corporation

2012-08-13 21:34:55 -------- d-----w- C:\NVIDIA

2012-08-13 18:21:47 -------- d-----w- C:\Users\Dave\AppData\Local\Macromedia

2012-08-13 18:21:35 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-13 18:21:35 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-08-13 18:02:56 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8466F2E9-B9B1-47D8-B2D4-E00CC248D97E}\mpengine.dll

2012-08-13 18:02:56 279656 ------w- C:\Windows\System32\MpSigStub.exe

.

==================== Find3M ====================

.

2012-08-16 14:30:01 2851328 ----a-w- C:\Windows\System32\themeui.dll

2012-08-16 14:29:59 332288 ----a-w- C:\Windows\System32\uxtheme.dll

2012-08-16 14:29:56 44544 ----a-w- C:\Windows\System32\themeservice.dll

.

============= FINISH: 13:48:32.68 ===============

Attatch:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 13/08/2012 18:45:20

System Uptime: 12/09/2012 13:29:46 (0 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | M2N68-AM SE2

Processor: AMD Athlon 7550 Dual-Core Processor | AM2 | 2511/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 51 GiB total, 24.584 GiB free.

D: is FIXED (NTFS) - 61 GiB total, 53.824 GiB free.

E: is FIXED (NTFS) - 186 GiB total, 174.509 GiB free.

F: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Conceptronic 54Mbps USB adapter

Device ID: ACPI\ATK0110\1010110

Manufacturer: 2L (Conceptronic)

Name: Conceptronic 54Mbps USB adapter

PNP Device ID: ACPI\ATK0110\1010110

Service: netr7364

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: NVIDIA nForce Networking Controller

Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_83A41043&REV_A2\3&267A616A&0&38

Manufacturer: NVIDIA

Name: NVIDIA nForce Networking Controller

PNP Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_83A41043&REV_A2\3&267A616A&0&38

Service: NVENETFD

.

==== System Restore Points ===================

.

RP22: 09/09/2012 02:37:04 - Scheduled Checkpoint

RP23: 12/09/2012 10:51:38 - Installed Java 7 Update 7

RP24: 12/09/2012 12:57:25 - Removed Grand Theft Auto Vice City

RP25: 12/09/2012 12:59:27 - Installed Grand Theft Auto Vice City

RP26: 12/09/2012 13:38:44 - Removed Java 7 Update 7

RP27: 12/09/2012 13:39:52 - Installed HiJackThis

.

==== Installed Programs ======================

.

7-Zip 9.20

Adobe Flash Player 11 Plugin

ASIO4ALL

µTorrent

Audacity 2.0

DAEMON Tools Lite

FL Studio 10

foobar2000 v1.1.14a

Fraps (remove only)

Grand Theft Auto Vice City

GTA San Andreas

HiJackThis

IL Download Manager

Malwarebytes Anti-Malware version 1.65.0.1400

Microsoft Choice Guard

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Mozilla Firefox 14.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

Native Instruments Traktor DJ Studio 3

Ralink RT6x Wireless LAN Card

Sony Vegas Pro 8.0

VirtualDJ Home FREE

VLC media player 2.0.3

vLite

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Live Upload Tool

ZTE_1.2059.0.8

.

==== Event Viewer Messages From Past Week ========

.

09/09/2012 02:34:28, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

08/09/2012 20:55:29, Error: Service Control Manager [7000] - The Mobile IP Route Manager service failed to start due to the following error: This driver has been blocked from loading

08/09/2012 20:55:29, Error: Application Popup [1060] - \??\C:\Windows\SysWow64\drivers\mdvrmng.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

07/09/2012 11:54:21, Error: netr28x [5003] - 802.11n Wireless LAN Card : Could not find a network adapter.

.

==== End Of File ===========================

Roguekiller Scan:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Dave [Admin rights]

Mode : Scan -- Date : 09/12/2012 14:21:34

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 16 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : xhost (C:\Users\Dave\AppData\Roaming\MyFolder\xhost.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-987265246-1392059623-3258156847-1001[...]\Run : xhost (C:\Users\Dave\AppData\Roaming\MyFolder\xhost.exe) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1200JB-00EVA0 ATA Device +++++

--- User ---

[MBR] 8bef83be809ab0097bc0fb4ca6c2ace8

[bSP] 3a1866fc23501cc6b852d03fc1382476 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 51898 Mo

2 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 106494885 | Size: 62463 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD2000BB-00FTA0 ATA Device +++++

--- User ---

[MBR] b6b90ebae946e78555508e193d9a00db

[bSP] bf7cf0315442c1a824e07a87cfefd646 : Linux MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 190780 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against the forums policy concerning P2P programs:

http://forums.malwar...showtopic=97700

~~~~~~~~~~~~~~~~~~~

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : xhost (C:\Users\Dave\AppData\Roaming\MyFolder\xhost.exe) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-987265246-1392059623-3258156847-1001[...]\Run : xhost (C:\Users\Dave\AppData\Roaming\MyFolder\xhost.exe) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~

Next.........

Download TFC to your desktop

Close any open windows.

Double click the TFC icon to run the program

TFC will close all open programs itself in order to run,

Click the Start button to begin the process.

Allow TFC to run uninterrupted.

The program should not take long to finish it's job

Once its finished it should automatically reboot your machine,

if it doesn't, manually reboot to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~

Last......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.07.13

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Dave :: DESKTOP [administrator]

Protection: Enabled

12/09/2012 14:55:29

mbam-log-2012-09-12 (14-59-47).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 190147

Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> No action taken.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

I have now removed the registry key aswell, that should be the end of it right? Thanks!

Link to post
Share on other sites

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.07.13

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Dave :: DESKTOP [administrator]

Protection: Enabled

12/09/2012 15:03:42

mbam-log-2012-09-12 (15-12-53).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 190162

Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> No action taken.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Looks like that one doesn't want to go.

Link to post
Share on other sites

Great thumbsup.gif

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.