BleepingComputer.com: eMuleMorphXT (conime. exe); Shareaza (cftmon); Ares (ctflr)

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

eMuleMorphXT (conime. exe); Shareaza (cftmon); Ares (ctflr) malware really hard to remove

#1 User is offline   Vincent_René 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 28-October 11

Posted 28 October 2011 - 04:26 PM

In te title the three programs in the order they appear in the computer (even after a manual cleaning of the keys with reg edit, and after a forced uninstall with Revo Uninstaller Pro, and a shred with McAfee).

I became aware of their presence after an alert of potentially dangerous internet connection from Ares p2p (that i nerver used) given to me by McAfee.

Another hint was in the switching off of the laptop (a Toshiba satellite L750 with windows 7 home premium): after clicking on the "switch off" button suddendly a warning message of forced shutting down of background
applications (in the specific a window like the one of emule appeared on the background).

EmulemoprhXT has a .exe commad: conime.exe (a proccess active in the background detectable only by using the task manager)

Shareaza in the taskmanager has a procces under the name of cftmon

Ares p2p in the task manager appear using the ctflr proccess.

After i found the processes i made a search on my system harddrive and found the paths:

c(windows):\users\public\Appdata\eMuleMorhXT (inside i found the fake conime.exe)
c(windows):\users\public\Appdata\Shareobj (inside i found the fake cftmon)
c(windows):\users\public\Appdata\obj (inside i found the ctflr file)

I tried also to manually clean the registry and found that all of the above mentioned programs had a lot of roots:

HKEY_USERS\S-1-5-21-2572027588-697957937-1008434598-1000_Classes\Wow6432Node\Interface\{B43A9B10-3F72-4A96-BD40-C3B643FDF2F3}
HKEY_USERS\S-1-5-21-2572027588-697957937-1008434598-1000_Classes\shareaza
HKEY_USERS\S-1-5-21-2572027588-697957937-1008434598-1000_Classes\Shareobj.Application
HKEY_USERS\S-1-5-21-2572027588-697957937-1008434598-1000_Classes\Shareobj.Collection (same path but ending with: .DataSource, .IEProtocol, .IEProtocolRequest, .XML, .XMLCollection )
HKEY_CURRENT_USER\Software\Magnet\Handlers\Shareobj

HKEY_CURRENT_USER\Software\Aobj ( a directory with a lot of keys)

HKEY_CURRENT_USER\Software\WinRAR SFX (inside the keys; (Default), Aobj, EmuleMoprhXT, Shareobj)

All three of them are not recognized as malware/virus by McAfee (updated past week), Adaware, Microsoft security essentials, malawarebytes (yes i'd tried hard to erase those three programs).


Following the DDS report:

Quote

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Harold at 22:39:45 on 2011-10-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.39.1033.18.6126.4353 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe
C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Users\Harold\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harold\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harold\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harold\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harold\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harold\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Harold\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\mcafee.com\agent\mcagent.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Harold\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Public\AppData\eMuleMorphXT\conime.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Users\Public\AppData\Shareobj\ctfmon.exe
C:\Users\Public\AppData\Aobj\ctfldr.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it/
uDefault_Page_URL = hxxp://toshiba.msn.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\syswow64\userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111014004427.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: {4AE0C3D6-F713-4EED-BC65-25DC3FFDAAC1} - No File
uRun: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STAR
uRun: [{0F618CAE-95D3-4973-981A-B4AE71F486B2}] C:\Windows\system32\rundll32.exe "C:\Users\Public\{0F618CAE-95D3-4973-981A-B4AE71F486B2}.dll",AppStartup UserRun
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRun: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STARTUP
StartupFolder: C:\Users\Harold\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TRDCRE~1.LNK - C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TOSHIB~1.LNK - C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to TOSHIBA Bulletin Board - C:\Program Files\TOSHIBA\BulletinBoard\TosBBCom.dll/1000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {97F922BD-8563-4184-87EE-8C4ACA438823} - {5D29E593-73A5-400A-B3BD-6B7A1AF05A31} - C:\Program Files\TOSHIBA\BulletinBoard\TosBBCom.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 62.101.93.101 83.103.25.250
TCP: Interfaces\{2B303936-9BBE-4F44-B50F-F5EC74EC0BD4} : DhcpNameServer = 62.101.93.101 83.103.25.250
TCP: Interfaces\{2B303936-9BBE-4F44-B50F-F5EC74EC0BD4}\4594353414C494 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ED7EB5B1-B2BA-4883-888C-76C0854F341B} : DhcpNameServer = 50.20.0.52
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111014004427.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB-X64: {4AE0C3D6-F713-4EED-BC65-25DC3FFDAAC1} - No File
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun-x64: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-9-5 64952]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2011-5-5 199008]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2011-5-5 208272]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-1-14 572712]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-1-16 378984]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2011-3-2 266680]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\Windows\system32\DRIVERS\TVALZFL.sys --> C:\Windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-9 2656280]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 PGEffect;Pangu effect driver;C:\Windows\system32\DRIVERS\pgeffect.sys --> C:\Windows\system32\DRIVERS\pgeffect.sys [?]
R3 QIOMem;Generic IO & Memory Access;C:\Windows\system32\drivers\QIOMem.sys --> C:\Windows\system32\drivers\QIOMem.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-7-9 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-12-20 822704]
R4 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
RUnknown MBAMService;MBAMService; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BtFilter;Bluetooth LowerFilter Class Filter Driver;C:\Windows\system32\DRIVERS\btfilter.sys --> C:\Windows\system32\DRIVERS\btfilter.sys [?]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2011-5-5 225216]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Revoflt;Revoflt;C:\Windows\system32\DRIVERS\revoflt.sys --> C:\Windows\system32\DRIVERS\revoflt.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 RSUSBVSTOR;RTSUVSTOR.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTSUVSTOR.sys --> C:\Windows\system32\Drivers\RTSUVSTOR.sys [?]
S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-2-10 112080]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-10-28 18:43:32 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E5485FC1-52DC-42C7-BCD5-EFA62569C418}\offreg.dll
2011-10-28 16:51:08 -------- d-----w- C:\Users\Harold\AppData\Roaming\Malwarebytes
2011-10-28 16:50:51 -------- d-----w- C:\ProgramData\Malwarebytes
2011-10-28 16:50:45 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-10-28 16:50:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-10-28 01:01:29 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E5485FC1-52DC-42C7-BCD5-EFA62569C418}\mpengine.dll
2011-10-27 13:13:41 -------- d-----w- C:\Users\Harold\AppData\Local\VS Revo Group
2011-10-27 13:13:32 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys
2011-10-27 13:13:29 -------- d-----w- C:\Program Files\VS Revo Group
2011-10-26 19:56:52 88 ---ha-w- C:\aaw7boot.cmd
2011-10-26 14:13:19 -------- d-----w- C:\ProgramData\STOPzilla!
2011-10-26 11:50:00 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-24 17:34:44 -------- d-----w- C:\Users\Harold\AppData\Local\Diagnostics
2011-10-24 17:24:35 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{82031134-333B-4D7E-B247-A6DD4D515518}\gapaengine.dll
2011-10-24 17:23:57 388096 ----a-r- C:\Users\Harold\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-24 17:23:55 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-10-24 17:12:35 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-10-24 17:12:27 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-10-24 15:34:35 -------- d-----w- C:\ProgramData\Wild Tangent
2011-10-23 10:08:30 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-22 12:43:05 -------- d-----w- C:\Users\Harold\AppData\Local\{5F229E76-F493-4FBB-99BC-5F2477C545DD}
2011-10-22 12:42:52 -------- d-----w- C:\Users\Harold\AppData\Local\{B3C55369-AB71-4142-9F32-0A6F8F7110FD}
2011-10-21 13:36:08 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{117EDAA2-B3A4-4D88-A13D-89D5C33A0EA3}\mpengine.dll
2011-10-21 13:32:43 -------- d-----w- C:\Users\Harold\AppData\Local\{57910329-1CB6-412E-9A0F-98BC57A7CDEB}
2011-10-21 13:32:21 -------- d-----w- C:\Users\Harold\AppData\Local\{15D36CE8-57B9-4AA2-8D71-E32E4D18F036}
2011-10-20 23:30:37 -------- d-----w- C:\Users\Harold\AppData\Local\Wild Tangent
2011-10-20 21:46:53 -------- d-----w- C:\Users\Harold\AppData\Local\{F3715CA7-3747-4ED8-8236-BFAD59776024}
2011-10-20 12:37:50 -------- d-----w- C:\Users\Harold\AppData\Local\Windows Live
2011-10-20 12:37:29 -------- d-----w- C:\Users\Harold\AppData\Local\{DB217A6F-9D49-4C61-AAFB-5C79CA15BE33}
2011-10-20 12:37:29 -------- d-----w- C:\Users\Harold\AppData\Local\{05D7FEEC-BB18-4DBE-BDD1-3CFB481B5A55}
2011-10-20 12:37:15 -------- d-----w- C:\Users\Harold\Tracing
2011-10-19 22:05:34 -------- d-----w- C:\ProgramData\VirtualizedApplications
2011-10-19 19:47:33 -------- d-----w- C:\Users\Harold\AppData\Roaming\SoftGrid Client
2011-10-19 19:47:33 -------- d-----w- C:\Users\Harold\AppData\Local\SoftGrid Client
2011-10-19 19:46:43 -------- d-----w- C:\Program Files (x86)\Microsoft Application Virtualization Client
2011-10-19 19:46:25 -------- d-----w- C:\Users\Harold\AppData\Roaming\TP
2011-10-18 22:43:37 -------- d-----w- C:\Program Files (x86)\CDisplay
2011-10-16 11:33:55 -------- d-----w- C:\Windows\pss
2011-10-15 20:16:37 -------- d-----w- C:\Windows\SysWow64\Wat
2011-10-15 20:16:37 -------- d-----w- C:\Windows\System32\Wat
2011-10-15 18:31:28 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2011-10-15 09:51:27 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-10-15 09:50:55 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-10-15 09:49:28 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-10-15 09:47:19 9049936 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-14 12:08:51 -------- d-----w- C:\Users\Harold\AppData\Roaming\OpenOffice.org
2011-10-14 11:15:01 -------- d-----w- C:\Users\Harold\AppData\Local\eMule AdunanzA
2011-10-14 11:15:01 -------- d-----w- C:\ProgramData\eMule AdunanzA
2011-10-14 11:14:53 -------- d-----w- C:\Program Files (x86)\eMule AdunanzA
2011-10-14 11:13:31 -------- d-----w- C:\Users\Harold\AppData\Roaming\eMule AdunanzA
2011-10-14 10:36:37 -------- d-----w- C:\Users\Harold\AppData\Local\Adobe
2011-10-13 21:47:07 -------- d-----w- C:\Program Files (x86)\VideoLAN
2011-10-13 21:41:52 -------- d-----w- C:\extensions
2011-10-13 21:41:51 -------- d-----w- C:\Program Files (x86)\Conduit
2011-10-13 21:41:49 -------- d-----w- C:\Users\Harold\AppData\Local\Conduit
2011-10-13 21:41:43 -------- d-----w- C:\Program Files (x86)\uTorrent
2011-10-13 21:40:12 -------- d-----w- C:\Users\Harold\AppData\Roaming\uTorrent
2011-10-13 21:40:12 -------- d-----w- C:\Users\Harold\AppData\Local\uTorrent
2011-10-13 19:06:36 -------- d-----w- C:\Program Files\Microsoft IntelliPoint
2011-10-13 18:57:33 -------- d-----w- C:\Users\Harold\.gimp-2.6
2011-10-13 18:56:28 -------- d-----w- C:\Program Files (x86)\GIMP-2.0
2011-10-13 18:40:37 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2011-10-13 17:21:04 -------- d-----w- C:\Users\Harold\AppData\Roaming\runic games
2011-10-13 17:14:31 65024 ----a-r- C:\Users\Harold\AppData\Roaming\Microsoft\Installer\{4F64A46D-67F7-4497-AEA2-313D4305A5F6}\Icon4F64A46D.exe
2011-10-13 17:14:31 35328 ----a-r- C:\Users\Harold\AppData\Roaming\Microsoft\Installer\{4F64A46D-67F7-4497-AEA2-313D4305A5F6}\Icon4F64A46D1.exe
2011-10-13 17:12:21 -------- d-----w- C:\Program Files (x86)\JoWooD
2011-10-13 16:44:21 -------- d-----w- C:\Users\Harold\AppData\Local\Google
2011-10-13 16:34:18 -------- d-----w- C:\Users\Harold\AppData\Roaming\TOSHIBA Online Product Information
2011-10-13 16:19:43 -------- d--h--w- C:\Windows\msdownld.tmp
2011-10-13 16:19:37 114688 ----a-w- C:\Program Files\Windows Sidebar\Shared Gadgets\eBay.gadget\Bin\eBayGadget.dll
2011-10-13 16:19:33 -------- d-----w- C:\Program Files (x86)\eBay
2011-10-13 16:19:22 -------- d-----w- C:\Program Files\Amazon
2011-10-13 16:14:55 -------- d-----w- C:\Users\Harold\AppData\Local\VirtualStore
2011-10-13 16:11:11 -------- d-----w- C:\Users\Harold\AppData\Local\Toshiba
.
==================== Find3M ====================
.
2011-10-06 14:44:20 158832 ----a-w- C:\Windows\System32\mfevtps.exe
2011-09-06 03:03:17 3138048 ----a-w- C:\Windows\System32\win32k.sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-17 05:26:46 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-08-17 05:25:08 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-08-17 04:24:12 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-08-17 04:19:27 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-08-15 08:00:06 9984 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2011-08-15 08:00:06 75672 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
2011-08-15 08:00:06 65128 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2011-08-15 08:00:06 642824 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2011-08-15 08:00:06 481504 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2011-08-15 08:00:06 283744 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2011-08-15 08:00:06 228752 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2011-08-15 08:00:06 158584 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2011-08-15 08:00:06 100904 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2011-08-01 13:59:06 45416 ----a-w- C:\Windows\System32\drivers\point64.sys
.
============= FINISH: 22:40:37,25 ===============



Attached the Attach file (renamed 1 because i made two different scans with DSS one just after a cleaning of the laptop and the other one after the reappearing of the three programs i'm trying to fight )

Thank you in advance for your help (and i beg your perdon for my english, i'm an italian user so i apologize for any grammatical error)

Attached File(s)


#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 02 November 2011 - 04:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/425468 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 07 November 2011 - 05:35 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users