Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJAN.EXE


  • This topic is locked This topic is locked
15 replies to this topic

#1 mwalt49

mwalt49

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 29 November 2011 - 11:10 AM

I happen to notice in my Intel PROSet/Wireless list of network connections was a network called TROJAN.EXE. Thinking this was suspicious I ran Malewarebytes, SUPERAntiSpyware, and Avast anti-virus (all complete scans). They all returned no infections or problems found. However this just didn't seem right so I searched wireless connections on 3 other devices and none of those found the TROJAN.EXE network. I have to believe that this is not suppose to be present and is waiting to attack.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Linda at 9:11:56 on 2011-11-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1007 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\ehome\ehtray.exe
svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.rr.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa0.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa0.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa0.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-explorer: NoInstrumentation = 1
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: cnbank.com\cnbsec1
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{52228E85-6CBC-41DF-8BC7-1A246A0FAA7D} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko5.dll
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko6.dll
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko7.dll
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko8.dll
FF - component: c:\program files\searchcore for browsers\searchcore for browsers\firefoxextension\components\DataMngrHlpFF3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2011-5-2 123984]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-8 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-8 314456]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2011-3-23 83536]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2011-3-23 63056]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2011-4-24 116304]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-8 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-8 44768]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2011-5-6 150608]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2011-2-24 82000]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-23 366152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-10-9 793048]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2011-5-12 331344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-23 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Secunia Update Agent;Secunia Update Agent;"c:\program files\secunia\psi\sua.exe" --start-service --> c:\program files\secunia\psi\sua.exe [?]
S2 UmxEngine;TM Engine;"c:\program files\ca\sharedcomponents\tmengine\umxengine.exe" --> c:\program files\ca\sharedcomponents\tmengine\UmxEngine.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-27 17:07:16 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-11-27 17:07:15 -------- d-----w- c:\documents and settings\linda\application data\Product_RM
2011-11-19 04:07:23 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-11-19 04:07:20 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-11-19 04:07:20 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-11-19 04:07:20 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-11-19 04:07:20 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-11-19 04:07:20 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-11-19 04:07:20 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-11-19 04:07:20 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-11-19 03:36:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-19 02:13:41 -------- d-----w- c:\documents and settings\linda\local settings\application data\Secunia PSI
2011-11-19 02:13:21 -------- d-----w- c:\program files\Secunia
2011-11-18 17:15:58 -------- d-----w- c:\program files\iPod
2011-11-18 01:47:46 -------- d-----w- c:\documents and settings\linda\application data\DDMSettings
2011-11-16 04:34:18 -------- d-----w- c:\documents and settings\linda\application data\SUPERAntiSpyware.com
2011-11-16 04:32:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-16 04:32:56 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-11-15 22:48:04 -------- d-----w- c:\documents and settings\linda\application data\uTorrent
2011-11-08 16:32:55 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-08 16:32:34 41184 ----a-w- c:\windows\avastSS.scr
2011-11-08 16:32:19 -------- d-----w- c:\program files\AVAST Software
2011-11-08 16:32:19 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-11-08 16:22:23 -------- d-----w- c:\documents and settings\linda\application data\Sammsoft
2011-11-06 14:26:25 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-11-06 14:26:21 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-11-04 02:38:12 -------- d-sha-r- C:\cmdcons
2011-11-02 23:16:31 -------- d-----w- c:\program files\VS Revo Group
.
==================== Find3M ====================
.
2011-11-19 03:36:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-19 03:26:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-25 18:44:44 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 14:48:17 1208320 ----a-w- c:\windows\system32\PTxSCP.ocx
2011-10-07 14:48:15 389120 ----a-w- c:\windows\system32\actskn43.ocx
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-02 16:15:43 150608 ----a-w- c:\windows\system32\drivers\KmxCF.sys
2011-09-02 16:15:43 116304 ----a-w- c:\windows\system32\drivers\KmxFw.sys
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 9:13:13.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 9,643 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 AM

Posted 04 December 2011 - 11:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429867 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:58 AM

Posted 05 December 2011 - 08:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please carry out HelpBot's instructions above and we can take it from there.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#4 mwalt49

mwalt49
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 06 December 2011 - 07:11 AM

I'm out of town until Sunday. Will post new logs when I return, please do not close the case.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:58 AM

Posted 06 December 2011 - 06:39 PM

No problem, I'll bump the topic next Wednesday if you haven't returned by then :)
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#6 mwalt49

mwalt49
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 10 December 2011 - 10:37 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Linda at 21:25:39 on 2011-12-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1063 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Linda\Desktop\pyh4vk8z.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.rr.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa0.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa0.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa0.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-explorer: NoInstrumentation = 1
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: cnbank.com\cnbsec1
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{52228E85-6CBC-41DF-8BC7-1A246A0FAA7D} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.rr.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko5.dll
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko6.dll
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko7.dll
FF - component: c:\documents and settings\linda\application data\mozilla\firefox\profiles\o2cdrj41.default\extensions\{e4878b45-e2c0-4307-b6e8-734922f92f5b}\components\RadioWMPCoreGecko8.dll
FF - component: c:\program files\searchcore for browsers\searchcore for browsers\firefoxextension\components\DataMngrHlpFF3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2011-5-2 123984]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-8 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-8 314456]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2011-3-23 83536]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2011-3-23 63056]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2011-4-24 116304]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-8 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-8 44768]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2011-5-6 150608]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2011-2-24 82000]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-23 366152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-10-9 793048]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2011-5-12 331344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-23 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Secunia Update Agent;Secunia Update Agent;"c:\program files\secunia\psi\sua.exe" --start-service --> c:\program files\secunia\psi\sua.exe [?]
S2 UmxEngine;TM Engine;"c:\program files\ca\sharedcomponents\tmengine\umxengine.exe" --> c:\program files\ca\sharedcomponents\tmengine\UmxEngine.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-27 17:07:16 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-11-27 17:07:15 -------- d-----w- c:\documents and settings\linda\application data\Product_RM
2011-11-19 04:07:23 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-11-19 04:07:20 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-11-19 04:07:20 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-11-19 04:07:20 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-11-19 04:07:20 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-11-19 04:07:20 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-11-19 04:07:20 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-11-19 04:07:20 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-11-19 03:36:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-19 02:13:41 -------- d-----w- c:\documents and settings\linda\local settings\application data\Secunia PSI
2011-11-19 02:13:21 -------- d-----w- c:\program files\Secunia
2011-11-18 17:15:58 -------- d-----w- c:\program files\iPod
2011-11-18 01:47:46 -------- d-----w- c:\documents and settings\linda\application data\DDMSettings
2011-11-16 04:34:18 -------- d-----w- c:\documents and settings\linda\application data\SUPERAntiSpyware.com
2011-11-16 04:32:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-16 04:32:56 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-11-15 22:48:04 -------- d-----w- c:\documents and settings\linda\application data\uTorrent
.
==================== Find3M ====================
.
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-19 03:36:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-19 03:26:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-25 18:44:44 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 14:48:17 1208320 ----a-w- c:\windows\system32\PTxSCP.ocx
2011-10-07 14:48:15 389120 ----a-w- c:\windows\system32\actskn43.ocx
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 21:29:29.93 ===============

Attached Files



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:58 AM

Posted 11 December 2011 - 07:17 PM

The logs look clean so we may be chasing a ghost here.

Disable your security programs and then download QuerySvc to check for a hidden service

Double click to run it.

It will produce a log. Please copy and paste the log to your reply.


Then

Please download TCPView

When the log comes up click Save and save the file to your desktop and attach the file to your next reply
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#8 mwalt49

mwalt49
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 11 December 2011 - 09:34 PM

Hope I did the TCP correct?

------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- WudfServiceGroup - WUDFSvc
- eapsvcs - eaphost
- dot3svc - dot3svc
- netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, MHN, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN, napagent, hkmsvc


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc
AuthenticationCapabilities REG_DWORD 12320 (0x3020)
CoInitializeSecurityParam REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs
AuthenticationCapabilities REG_DWORD 12320 (0x3020)
CoInitializeSecurityParam REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter
CoInitializeSecurityParam REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 8192 (0x2000)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 12320 (0x3020)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth
CoInitializeSecurityParam REG_DWORD 2 (0x2)
AuthenticationCapabilities REG_DWORD 64 (0x40)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: AUTO_START: WZCSVC : Wireless Zero Configuration
STOPPED: DEMAND_START: Alerter : Alerter
STOPPED: DEMAND_START: AppMgmt : Application Management
STOPPED: DEMAND_START: Browser : Computer Browser
STOPPED: DEMAND_START: dmserver : Logical Disk Manager
STOPPED: DEMAND_START: Dot3svc : Wired AutoConfig
STOPPED: DEMAND_START: EapHost : Extensible Authentication Protocol Service
STOPPED: DEMAND_START: FastUserSwitchingCompatibility : Fast User Switching Compatibility
STOPPED: DEMAND_START: hkmsvc : Health Key and Certificate Management Service
STOPPED: DEMAND_START: HTTPFilter : HTTP SSL
STOPPED: DEMAND_START: Messenger : Messenger
STOPPED: DEMAND_START: MHN : MHN
STOPPED: DEMAND_START: napagent : Network Access Protection Agent
STOPPED: DEMAND_START: NtmsSvc : Removable Storage
STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager
STOPPED: DEMAND_START: RemoteRegistry : Remote Registry
STOPPED: DEMAND_START: upnphost : Universal Plug and Play Device Host
STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service
STOPPED: DEMAND_START: Wmi : Windows Management Instrumentation Driver Extensions
STOPPED: DEMAND_START: WudfSvc : Windows Driver Foundation - User-mode Driver Framework
STOPPED: DEMAND_START: xmlprov : Network Provisioning Service
STOPPED: DISABLED: LmHosts : TCP/IP NetBIOS Helper
STOPPED: DISABLED: RemoteAccess : Routing and Remote Access
STOPPED: DISABLED: ShellHWDetection : Shell Hardware Detection
STOPPED: DISABLED: srservice : System Restore Service

------ SVCHOST CURRENTLY RUNNING:

1276- C:\WINDOWS\system32\svchost.exe -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- TermService : Terminal Services

1344- C:\WINDOWS\system32\svchost.exe -k rpcss
- RpcSs : Remote Procedure Call (RPC)

1384- C:\WINDOWS\System32\svchost.exe -k netsvcs
- AudioSrv : Windows Audio
- BITS : Background Intelligent Transfer Service
- CryptSvc : CryptSvc
- Dhcp : DHCP Client
- ERSvc : Error Reporting Service
- EventSystem : COM+ Event System
- helpsvc : Help and Support
- HidServ : HID Input Service
- lanmanserver : Server
- lanmanworkstation : Workstation
- Netman : Network Connections
- Nla : Network Location Awareness (NLA)
- RasMan : Remote Access Connection Manager
- Schedule : Task Scheduler
- seclogon : Secondary Logon
- SENS : System Event Notification
- SharedAccess : Windows Firewall/Internet Connection Sharing (ICS)
- TapiSrv : Telephony
- Themes : Themes
- TrkWks : Distributed Link Tracking Client
- w32time : Windows Time
- winmgmt : Windows Management Instrumentation
- wscsvc : Security Center
- wuauserv : Automatic Updates

1660- C:\WINDOWS\system32\svchost.exe -k NetworkService
- Dnscache : DNS Client

1232- C:\WINDOWS\system32\svchost.exe -k LocalService
- WebClient : WebClient

2400- C:\WINDOWS\system32\svchost.exe -k LocalService
- SSDPSRV : SSDP Discovery Service

2460- C:\WINDOWS\system32\svchost.exe -k imgsvc
- stisvc : Windows Image Acquisition (WIA)

------ SVCHOST SUB-DEPENDENTS

HTTPFilter = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

upnphost = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

SSDPSRV = 3
RUNNING: McrdSvc: Media Center Extender Service
STOPPED: upnphost: Universal Plug and Play Device Host
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

DMServer = 1
STOPPED: dmadmin: Logical Disk Manager Administrative Service

EventSystem = 1
RUNNING: SENS: System Event Notification

LanmanServer = 1
STOPPED: Browser: Computer Browser

LanmanWorkstation = 5
STOPPED: Alerter: Alerter
STOPPED: Browser: Computer Browser
STOPPED: Messenger: Messenger
STOPPED: Netlogon: Net Logon
STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator

Netman = 1
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)

Rasman = 1
STOPPED: RasAuto: Remote Access Auto Connection Manager

Tapisrv = 3
RUNNING: RasMan: Remote Access Connection Manager
STOPPED: Fax: Fax
STOPPED: RasAuto: Remote Access Auto Connection Manager

winmgmt = 2
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: wscsvc: Security Center

TermService = 1
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 63
RUNNING: AudioSrv: Windows Audio
RUNNING: avast! Antivirus: avast! Antivirus
RUNNING: BITS: Background Intelligent Transfer Service
RUNNING: COMSysApp: COM+ System Application
RUNNING: CryptSvc: CryptSvc
RUNNING: ehRecvr: Media Center Receiver Service
RUNNING: ehSched: Media Center Scheduler Service
RUNNING: ERSvc: Error Reporting Service
RUNNING: EventSystem: COM+ Event System
RUNNING: EvtEng: Intel® PROSet/Wireless Event Log
RUNNING: helpsvc: Help and Support
RUNNING: HidServ: HID Input Service
RUNNING: iPod Service: iPod Service
RUNNING: LexBceS: LexBce Server
RUNNING: McrdSvc: Media Center Extender Service
RUNNING: Netman: Network Connections
RUNNING: PolicyAgent: IPSEC Services
RUNNING: ProtectedStorage: Protected Storage
RUNNING: RasMan: Remote Access Connection Manager
RUNNING: RegSrvc: Intel® PROSet/Wireless Registry Service
RUNNING: S24EventMonitor: Intel® PROSet/Wireless Service
RUNNING: SamSs: Security Accounts Manager
RUNNING: Schedule: Task Scheduler
RUNNING: SENS: System Event Notification
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: Spooler: Print Spooler
RUNNING: stisvc: Windows Image Acquisition (WIA)
RUNNING: TapiSrv: Telephony
RUNNING: TermService: Terminal Services
RUNNING: TrkWks: Distributed Link Tracking Client
RUNNING: winmgmt: Windows Management Instrumentation
RUNNING: WLANKEEPER: Intel® PROSet/Wireless SSO Service
RUNNING: wscsvc: Security Center
RUNNING: YahooAUService: Yahoo! Updater
STOPPED: CiSvc: Indexing Service
STOPPED: dmadmin: Logical Disk Manager Administrative Service
STOPPED: dmserver: Logical Disk Manager
STOPPED: Dot3svc: Wired AutoConfig
STOPPED: EapHost: Extensible Authentication Protocol Service
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility
STOPPED: Fax: Fax
STOPPED: hkmsvc: Health Key and Certificate Management Service
STOPPED: Messenger: Messenger
STOPPED: MHN: MHN
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: MSIServer: Windows Installer
STOPPED: napagent: Network Access Protection Agent
STOPPED: Nero BackItUp Scheduler 4.0: Nero BackItUp Scheduler 4.0
STOPPED: NtmsSvc: Removable Storage
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RemoteRegistry: Remote Registry
STOPPED: RSVP: QoS RSVP
STOPPED: ShellHWDetection: Shell Hardware Detection
STOPPED: srservice: System Restore Service
STOPPED: SupportSoft RemoteAssist: SupportSoft RemoteAssist
STOPPED: SwPrv: MS Software Shadow Copy Provider
STOPPED: TlntSvr: Telnet
STOPPED: VSS: Volume Shadow Copy
STOPPED: WmiApSrv: WMI Performance Adapter
STOPPED: WZCSVC: Wireless Zero Configuration
STOPPED: xmlprov: Network Provisioning Service

TermService = 1
STOPPED: FastUserSwitchingCompatibility: Fast User Switching Compatibility

eaphost = 1
STOPPED: Dot3svc: Wired AutoConfig

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:58 AM

Posted 12 December 2011 - 07:25 PM

Yes, both logs were executed perfectly.

They don't show anything untoward either.

Let's see a more straightforward scan next

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#10 mwalt49

mwalt49
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 December 2011 - 10:19 PM

No log per say was produced however, it did find 1 infected file and I copied that and pasted below.

C:\Documents and Settings\Linda\My Documents\Downloads\cnet_Setup_FreeBurner_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined

Is it possible that some clown has labled his network "trojan.exe" (I guess that is one way to keep people from tryig to connect to your WiFi) and the other devices I have tried to find it with do not have enough power to locate it? Just seems odd to me...

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:58 AM

Posted 13 December 2011 - 02:45 PM

Is it possible that some clown has labled his network "trojan.exe"


It's certainly possible. I can't see anything in the machine to suggest anything more than that. Are there any more issues that you are experiencing?
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#12 mwalt49

mwalt49
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 13 December 2011 - 03:30 PM

Everything else seems to be fine (as far as I can tell). I just happen to notice this after I had a malware infection.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:58 AM

Posted 13 December 2011 - 06:22 PM

I'm inclined to think that this is not a threat to your machine. I will give you the all clear but if in the five days before I close the topic you see anything else then post back (I will still be monitoring the thread)

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir - though if you choose Avira you should make sure that you uncheck the box offering to install the Ask toolbar. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#14 mwalt49

mwalt49
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 14 December 2011 - 02:43 PM

mOle,

I thank you for your time and patience while helping me. Without you and your peers, guys like myself would be throwing our computers in the garbage. If I see anything on the computer acting strangly I will be sure to send you note. Again, thank you.

Mike

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,615 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:58 AM

Posted 14 December 2011 - 06:45 PM

You're welcome, Mike :thumbup2:
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users