Jump to content

Infected With 14 Threats

ggreener

By ggreener
in Resolved Malware Removal Logs

 Share

Recommended Posts

ggreener

ggreener

Posted
Posted

Hi All,

I am running MS essentials and was having issues getting disconnected from the internet. I ran Malwarebytes and it found 14 threats I removed all of them I am still concerned that there is somethings still residing. I attached a copy of the Mbam log, and the DDS log. Any Advice would be greatly appreciated, thanks in advance.

mbam-log-2012-11-20 (23-33-27repaired).txt

dds.txt

Link to post
Share on other sites
ggreener

ggreener

Posted
  • Author
Posted

Sorry I am new to this after reading through some of the forums I should have copy and pasted so here they are.

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.21.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

User :: DDGREGG [administrator]

Protection: Enabled

11/20/2012 11:33:27 PM

mbam-log-2012-11-20 (23-33-27).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 210652

Time elapsed: 1 minute(s), 29 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 3

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|DirectX For Microsoft® Windows (Backdoor.ProRat) -> Data: C:\Windows\system32\fservice.exe -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|75AE4VWC5B7T (Backdoor.Agent) -> Data: C:\Users\User\AppData\Roaming\CTHOAQMS.exe -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|75AE4VWC5B7T (Backdoor.Agent) -> Data: C:\Users\User\AppData\Roaming\CTHOAQMS.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 2

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Backdoor.ProRat) -> Bad: (C:\Windows\system32\fservice.exe) Good: () -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell) -> Bad: (Explorer.exe C:\Windows\system32\fservice.exe) Good: (Explorer.exe) -> Quarantined and repaired successfully.

Folders Detected: 1

C:\Users\User\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 5

C:\Windows\System32\fservice.exe (Backdoor.ProRat) -> Quarantined and deleted successfully.

C:\Windows\SysWOW64\fservice.exe (Backdoor.ProRat) -> Quarantined and deleted successfully.

C:\Windows\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\User\AppData\Roaming\dclogs\2012-03-26-2.dc (Stolen.Data) -> Quarantined and deleted successfully.

C:\Users\User\AppData\Roaming\dclogs\2012-03-29-5.dc (Stolen.Data) -> Quarantined and deleted successfully.

(end)

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 1.6.0_37

Run by User at 0:00:44 on 2012-11-21

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.5942.3660 [GMT -7:00]

.

AV: GFI Software VIPRE *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}

AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: GFI Software VIPRE *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}

FW: GFI Software VIPRE *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Hpservice.exe

C:\Windows\system32\vcsFPService.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\IDT\WDM\AESTSr64.exe

C:\Windows\system32\lxebcoms.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe

C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebmon.exe

C:\Program Files (x86)\Lexmark Pro200-S500 Series\ezprint.exe

C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchProtocolHost.exe

c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Microsoft Security Client\MpCmdRun.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [iSUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

mRun: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [sBAMTray] "C:\Program Files (x86)\GFI Software\VIPRE\SBAMTray.exe"

mRun: [synergy] C:/Program Files/Synergy/synergy.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://accessyyc.halliburton.com/dana-cached/sc/JuniperSetupClient.cab

TCP: NameServer = 64.59.184.15 64.59.190.245

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75} : NameServer = 8.8.8.8,8.8.4.4

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75} : DHCPNameServer = 64.59.184.15 64.59.190.245

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75}\1427163686E696469616024497E616D6963616 : NameServer = 8.8.8.8,8.8.4.4

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75}\1427163686E696469616024497E616D6963616 : DHCPNameServer = 209.91.107.11 209.121.225.11

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75}\24561627 : NameServer = 8.8.8.8,8.8.4.4

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75}\46C696E6B6 : NameServer = 8.8.8.8,8.8.4.4

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75}\46C696E6B6 : DHCPNameServer = 10.10.10.1

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75}\A596070234F6D6D6F202A6F6D61687330226 : NameServer = 8.8.8.8,8.8.4.4

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75}\A596070234F6D6D6F202A6F6D61687330226 : DHCPNameServer = 192.168.0.9

TCP: Interfaces\{87AD3D74-7A17-47F5-AF8B-0005E7A60E75}\A596070234F6D6D6F2A4F6D6168702330214 : DHCPNameServer = 192.168.3.1

TCP: Interfaces\{C26D38FA-FA96-4353-99C4-8CE2F269933B} : DHCPNameServer = 64.59.184.15 64.59.190.245

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL

x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

x64-Run: [lxebmon.exe] "C:\Program Files (x86)\Lexmark Pro200-S500 Series\lxebmon.exe"

x64-Run: [EzPrint] "C:\Program Files (x86)\Lexmark Pro200-S500 Series\ezprint.exe"

x64-Run: [sBRegRebootCleaner] "C:\Program Files (x86)\GFI Software\VIPRE\SBRC.exe"

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL

Hosts: 192.168.11.1 tpc

Hosts: 10.0.0.1 dhc

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.MeMe\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=

FF - component: C:\Program Files (x86)\Google\Google Gears\Firefox\lib\ff36\gears.dll

FF - component: C:\Users\Arachnidia\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.MeMe\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - component: C:\Users\Arachnidia\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.MeMe\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - component: C:\Users\Arachnidia\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.MeMe\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: C:\Users\Arachnidia\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.MeMe\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko19.dll

FF - component: C:\Users\Arachnidia\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.MeMe\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - component: C:\Users\Arachnidia\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.MeMe\extensions\firetorrent@radicalsoft.com\components\firetorrent.dll

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\User\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll

FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

FF - ExtSQL: 2012-11-13 21:26; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}

.

============= SERVICES / DRIVERS ===============

.

R0 Disksnap;Disksnap;C:\Windows\System32\drivers\Disksnap.sys [2012-3-26 358360]

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]

R0 vbootbus;VMLite VBoot Virtual Storage Service;C:\Windows\System32\drivers\vbootbus.sys [2011-10-6 41944]

R1 SbFw;SbFw;C:\Windows\System32\drivers\SbFw.sys [2012-11-13 258848]

R1 vmlitedrv;vmlitedrv;C:\Windows\System32\drivers\vmlitedrv.sys [2012-3-26 13784]

R1 VMLiteUSBMon;VMLiteUSBMon;C:\Windows\System32\drivers\vmliteusbmon.sys [2012-3-26 128984]

R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-11-13 89600]

R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-5-13 30520]

R2 lxeb_device;lxeb_device;C:\Windows\System32\lxebcoms.exe -service --> C:\Windows\System32\lxebcoms.exe -service [?]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-20 399432]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-20 676936]

R2 MSSQL$EDM5000;SQL Server (EDM5000);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]

R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 128456]

R2 sbapifs;sbapifs;C:\Windows\System32\drivers\sbapifs.sys [2012-10-24 82872]

R2 SBPIMSvc;SB Recovery Service;C:\Program Files (x86)\GFI Software\VIPRE\SBPIMSvc.exe [2012-10-29 175496]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-11-13 2533400]

R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2010-2-23 2192176]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-5-1 56344]

R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2010-7-28 10610400]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-20 25928]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]

R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;C:\Windows\System32\drivers\SbFwIm.sys [2012-11-13 120608]

R3 vmlitestor;vmlitestor;C:\Windows\System32\drivers\vmlitestor.sys [2010-8-11 177768]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gfi_lanss10_attservice;GFI LanGuard 10 Attendant Service;C:\Program Files (x86)\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe [2012-10-24 115568]

S2 lxebCATSCustConnectService;lxebCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxebserv.exe [2010-4-14 45736]

S2 SBAMSvc;VIPRE Internet Security;C:\Program Files (x86)\GFI Software\VIPRE\SBAMSvc.exe [2012-10-29 3677000]

S3 GFI LanGuard Patch Agent;GFI LanGuard Patch Agent;C:\Windows\Patches\PatchAgent.exe [2012-11-13 365424]

S3 gfiark;gfiark;C:\Windows\System32\drivers\gfiark.sys [2012-11-13 35456]

S3 LGC EDM Historian;LGC EDM Historian;C:\Landmark\Historian\bin\wrapper-windows-x86-32.exe -s C:\Landmark\Historian\config\wrapper.conf --> C:\Landmark\Historian\bin\wrapper-windows-x86-32.exe -s C:\Landmark\Historian\config\wrapper.conf [?]

S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]

S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;C:\Windows\System32\drivers\SbFwIm.sys [2012-11-13 120608]

S3 sbhips;sbhips;C:\Windows\System32\drivers\sbhips.sys [2012-11-13 61216]

S3 sbwtis;sbwtis;C:\Windows\System32\drivers\sbwtis.sys [2012-10-24 86816]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 teamviewervpn;TeamViewer VPN Adapter;C:\Windows\System32\drivers\teamviewervpn.sys [2012-3-25 35112]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 vbootfs;vbootfs;C:\Windows\System32\drivers\vbootfs.sys [2012-3-26 61400]

S3 vbootmp;vbootmp;C:\Windows\System32\drivers\vbootmp.sys [2011-10-7 854488]

S3 VMLiteService;VMLiteService;C:\Program Files\VMLite\VMLite Workstation\VMLiteService.exe [2011-10-17 426456]

S3 VMLiteUSB;VMLite USB;C:\Windows\System32\drivers\VMLiteUSB.sys [2011-10-15 115672]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-11-13 1255736]

S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]

S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-9-9 203264]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-11-21 06:55:15 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{80DBB8EE-968B-4D63-80BB-BF8BAEEA6E5A}\mpengine.dll

2012-11-21 06:11:04 -------- d-----w- C:\Users\User\AppData\Roaming\Malwarebytes

2012-11-21 06:10:51 -------- d-----w- C:\ProgramData\Malwarebytes

2012-11-21 06:10:50 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-11-21 06:10:50 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-19 21:45:52 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-11-17 10:06:15 9728 ----a-w- C:\Windows\System32\Wdfres.dll

2012-11-17 10:06:15 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys

2012-11-17 10:06:15 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys

2012-11-17 10:06:15 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui

2012-11-17 10:01:12 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys

2012-11-17 10:01:12 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys

2012-11-17 10:01:11 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll

2012-11-17 10:01:11 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll

2012-11-17 10:01:11 229888 ----a-w- C:\Windows\System32\WUDFHost.exe

2012-11-17 10:01:11 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll

2012-11-17 10:01:10 744448 ----a-w- C:\Windows\System32\WUDFx.dll

2012-11-16 08:14:03 -------- d-----w- C:\Users\User\AppData\Roaming\GFI Software

2012-11-16 08:00:56 -------- d-----w- C:\Users\User\AppData\Local\{7F925EE9-936E-4D0D-958C-4B41FCC24422}

2012-11-16 07:59:37 -------- d-----w- C:\Users\User\AppData\Local\{7AECCCF1-FAFB-4CD0-B37E-4F2A19423610}

2012-11-16 07:57:02 -------- d-----w- C:\Users\User\AppData\Local\{F586A507-D8BA-495B-A729-5CE56DD75700}

2012-11-16 07:35:33 -------- d-----w- C:\Users\User\AppData\Local\{2F23A104-AC86-4E89-A76D-1D5AD261155C}

2012-11-16 01:09:08 78336 ----a-w- C:\Windows\SysWow64\synceng.dll

2012-11-14 04:26:43 477168 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll

2012-11-14 04:25:43 -------- d-----w- C:\Windows\Patches

2012-11-13 22:05:33 35456 ----a-w- C:\Windows\System32\drivers\gfiark.sys

2012-11-13 21:45:10 61216 ----a-w- C:\Windows\System32\drivers\sbhips.sys

2012-11-13 21:45:07 120608 ----a-w- C:\Windows\System32\drivers\SbFwIm.sys

2012-11-13 21:45:06 47496 ----a-w- C:\Windows\System32\sbbd.exe

2012-11-13 21:45:06 258848 ----a-w- C:\Windows\System32\drivers\SbFw.sys

2012-11-13 21:45:04 -------- d-----w- C:\ProgramData\GFI Software

2012-11-13 21:44:53 -------- d-----w- C:\ProgramData\Downloaded Installations

2012-11-13 21:43:52 -------- d-----w- C:\Program Files (x86)\GFI Software

2012-11-12 06:35:23 -------- d-----w- C:\Users\User\AppData\Local\Research In Motion

2012-11-12 06:25:08 44032 ----a-w- C:\Windows\System32\drivers\RimSerial_AMD64.sys

2012-11-12 06:24:54 -------- d-----w- C:\ProgramData\Research In Motion

2012-11-12 06:24:23 -------- d-----w- C:\Program Files (x86)\Common Files\XCPCSync.OEM

2012-11-12 05:59:28 -------- d-----w- C:\Users\User\AppData\Roaming\Research In Motion

2012-11-12 05:56:33 -------- d-----w- C:\Users\User\AppData\Local\Programs

2012-11-12 05:52:14 -------- d-----w- C:\Program Files (x86)\Common Files\Research In Motion

2012-11-12 05:52:06 -------- d-----w- C:\Program Files (x86)\Research In Motion

2012-11-11 06:36:21 -------- d-----w- C:\ProgramData\Ezprint

2012-11-11 06:22:38 -------- d-----w- C:\Lexmark

2012-11-07 03:39:58 -------- d-----w- C:\Users\User\AppData\Roaming\FireShot

2012-10-30 05:33:16 47496 ----a-w- C:\Windows\SysWow64\sbbd.exe

2012-10-29 05:22:10 972192 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F05A30D4-0C2E-4397-9B52-6B484DED2DE4}\gapaengine.dll

2012-10-24 21:39:24 86816 ----a-w- C:\Windows\System32\drivers\sbwtis.sys

2012-10-24 21:39:04 634560 ----a-w- C:\Windows\SysWow64\XceedZip.dll

2012-10-24 21:39:02 82872 ----a-w- C:\Windows\System32\drivers\sbapifs.sys

2012-10-23 20:28:20 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2012-10-23 20:26:54 715776 ----a-w- C:\Windows\System32\kerberos.dll

2012-10-23 20:26:54 245760 ----a-w- C:\Windows\System32\OxpsConverter.exe

2012-10-23 20:26:53 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll

2012-10-23 20:26:52 1464320 ----a-w- C:\Windows\System32\crypt32.dll

2012-10-23 20:26:52 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-10-23 20:26:51 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-10-23 20:26:51 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-10-23 20:26:51 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-10-23 20:26:51 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

.

==================== Find3M ====================

.

2012-11-14 04:26:39 473072 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-11-14 04:25:59 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-11-14 04:25:59 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll

2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll

2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll

2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll

2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll

2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll

2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll

2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll

2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys

2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll

2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-08-31 04:03:48 228768 ----a-w- C:\Windows\System32\drivers\MpFilter.sys

2012-08-31 04:03:48 128456 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys

2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-08-24 18:05:07 220160 ----a-w- C:\Windows\System32\wintrust.dll

2012-08-24 16:57:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

.

============= FINISH: 0:00:58.70 ===============

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites
ggreener

ggreener

Posted
  • Author
Posted

Hi Mr Charlie,

Here is the Rogue Killer report as requested.

RogueKiller V8.3.1 [Nov 22 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : User [Admin rights]

Mode : Scan -- Date : 11/22/2012 13:58:48

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤

[services][ROGUE ST] HKLM\[...]\ControlSet001\Services\GFI LanGuard Patch Agent ("C:\Windows\Patches\PatchAgent.exe" -StartService 192.168.1.100 1170 212542809_2543549) -> FOUND

[services][ROGUE ST] HKLM\[...]\ControlSet002\Services\GFI LanGuard Patch Agent ("C:\Windows\Patches\PatchAgent.exe" -StartService 192.168.1.100 1170 212542809_2543549) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

192.168.11.1 tpc

10.0.0.1 dhc

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BEKT-22KA9T0 ATA Device +++++

--- User ---

[MBR] 3b58dde21185bf76c45ea0e491f0a0cc

[bSP] 46364c0343a9641c4485752a03dce1fa : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: OCZ-VERTEX2 ATA Device +++++

--- User ---

[MBR] 9004b628b5b29abe0fb3760ad9dc72ca

[bSP] 28eeeb11b42eabf408507b8518cd2053 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 57139 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_11222012_02d1358.txt >>

RKreport[1]_S_11222012_02d1358.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Please create a new system restore point before running Malwarebytes Anti-Rootkit.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.