Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with Win32/Olmarik.UI trojan (Nod32)


  • This topic is locked This topic is locked
2 replies to this topic

#1 Barilla

Barilla

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 09 March 2010 - 01:59 AM

Hi all,

I need some help to get rid of a trojan called Win32/Olmarik.UI Not sure of the name

This is what happens:
A new tab opens in FF and try to reach different "search-sites". I have not found when or why it's opens, seems to be randomly. It keeps trying to make a new search from those sites, based on previous search I have made. I kept three of the domains and I recommend NOT TO OPEN those. Here they are:
CODE
http://nurseries.com/
http://215.com/
http://divanetwork.com/

All of them got a search string included in the address (for security reason I will not print them in the post)


What I've done:
Scanned the computer (total scan) with those programs:
Avast
Nod32
MBAM
Ad-aware
IObit Security 360
Advanced System Protector
Uninstalled unused program
Uninstalled Avast and now Nod32
Installed F-secure Internet Security (Telia-version)
Updated this post with new information


I have looked through the Hijackthis-log and I did not found anything strange.

It all started last Friday. Avast reported about a virus located in C:\Windows\Temp\*.tmp\svchost.exe (the * is a 4 letter random combination) I do not remember the name, sorry could be PSWTool.Win32.MailPassView or HackTool.Win32.MailPassView
It tried to create a new svchost.exe in the temp-directory every 5 minute.

There is also another file trying to connect to Internet. It's located in C:\Users\Peter\AppData\Local\temp\ and called Bhl.exe (I have not been able to see the file, because it's removed directly when it is created)

I am happy to get Your professional help to solve my issues

Best Regards
Peter

Edit: As I am a little bit paranoid, I tried another AV-program while waiting for help. I have updated the files and added some lines in the text, marked with Bold and Italic

CODE
DDS (Ver_09-12-01.01) - NTFSx86  
Run by Peter at 16:18:35,60 on 2010-03-09
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft Windows 7 Professional   6.1.7600.0.1252.46.1033.18.3036.1414 [GMT 1:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\AMT\LMS.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PRIVACYICONCLIENT.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANOTIF.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\Program Files\Hewlett-Packard\HP 3D DriveGuard\accelerometerST.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdhost.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exe
C:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\FSGK32.EXE
C:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fssm32.exe
C:\Program Files\Telia\Telias sakerhetstjanster\Common\FSMA32.EXE
C:\Program Files\Telia\Telias sakerhetstjanster\Common\FSHDLL32.EXE
C:\Program Files\Telia\Telias sakerhetstjanster\Common\FSM32.EXE
C:\Program Files\Telia\Telias sakerhetstjanster\ORSP Client\fsorsp.exe
C:\Program Files\Telia\Telias sakerhetstjanster\Anti-Virus\fsav32.exe
C:\Program Files\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exe
C:\Program Files\Telia\Telias sakerhetstjanster\FSGUI\fscuif.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\MWrem\1_dds\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [wben] "c:\program files\starfield\desktop notifier\wben.exe"
uRun: [AccelerometerSysTrayApplet] "c:\program files\hewlett-packard\hp 3d driveguard\AccelerometerSt.Exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\soundmax.exe /tray
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [F-Secure Manager] "c:\program files\telia\telias sakerhetstjanster\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\telia\telias sakerhetstjanster\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
LSP: c:\program files\telia\telias sakerhetstjanster\fsps\program\FSLSP.DLL
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs:      
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\peter\appdata\roaming\mozilla\firefox\profiles\dojpfcez.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\users\peter\appdata\roaming\mozilla\firefox\profiles\dojpfcez.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\personal\bin\np_prsnl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color",               "#551A8B");
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2010-3-9 33920]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\telia\telias sakerhetstjanster\hips\drivers\fshs.sys [2010-3-9 68064]
R1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2010-3-9 35680]
R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2010-3-9 71040]
R1 fsvista;F-Secure Vista Support Driver;c:\program files\telia\telias sakerhetstjanster\anti-virus\minifilter\fsvista.sys [2010-3-9 12384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 66632]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-3-9 1858144]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-12-18 38240]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\telia\telias sakerhetstjanster\anti-virus\fsgk32st.exe [2010-3-9 215648]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-2-26 26168]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2009-3-30 1113448]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.EXE [2010-1-17 2058776]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]
R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-3 625224]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-1-17 228408]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-6-13 221912]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\telia\telias sakerhetstjanster\anti-virus\minifilter\fsgk.sys [2010-3-9 107104]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\telia\telias sakerhetstjanster\orsp client\fsorsp.exe [2010-3-9 55992]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-1-17 49152]
S2 ekrn;ESET Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" --> c:\program files\eset\eset nod32 antivirus\ekrn.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2010-1-17 4231680]
S3 RICOH SmartCard Reader;RICOH SmartCard Reader;c:\windows\system32\drivers\rismc32.sys [2010-1-17 49152]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 Tdsshbecr;Handelsbanken card reader;c:\windows\system32\drivers\shbecr.sys [2010-1-21 42368]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\telia\telias sakerhetstjanster\anti-virus\win2k\fsfilter.sys [2010-3-9 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\telia\telias sakerhetstjanster\anti-virus\win2k\fsrec.sys [2010-3-9 25184]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;c:\program files\microsoft visual studio 9.0\common7\ide\remote debugger\x86\msvsmon.exe [2008-7-29 3201024]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]

=============== Created Last 30 ================

2010-03-09 13:49:23    0    d-----w-    c:\users\peter\appdata\roaming\F-Secure
2010-03-09 13:43:03    33920    ----a-w-    c:\windows\system32\drivers\fsbts.sys
2010-03-09 13:42:23    0    d-----w-    c:\program files\Telia
2010-03-09 13:42:10    0    d-----w-    c:\programdata\fssg
2010-03-09 13:41:34    0    d-----w-    c:\programdata\f-secure
2010-03-09 10:58:50    0    d-----w-    c:\program files\a-squared HiJackFree
2010-03-09 10:58:09    0    d-----w-    c:\program files\a-squared Free
2010-03-09 10:48:39    0    d-----w-    c:\program files\LastPass
2010-03-08 18:57:37    0    d-----w-    C:\MWrem
2010-03-08 18:48:51    0    ----a-w-    c:\users\peter\defogger_reenable
2010-03-08 08:59:39    0    d-----w-    c:\users\peter\appdata\roaming\Systweak
2010-03-08 08:59:39    0    d-----w-    c:\programdata\Systweak
2010-03-08 08:02:16    95024    ----a-w-    c:\windows\system32\drivers\SBREDrv.sys
2010-03-08 07:46:03    0    d-----w-    c:\programdata\IObit
2010-03-08 07:45:57    0    d-----w-    c:\program files\IObit
2010-03-07 09:00:57    0    d-----w-    C:\VundoFix Backups
2010-03-06 08:57:57    293376    ----a-w-    c:\windows\system32\browserchoice.exe
2010-03-06 07:40:45    31732    ------w-    c:\windows\system32\SEBRS___.TTF
2010-03-06 07:40:42    109472    ------w-    c:\windows\system32\Sebran3_.ttf
2010-03-06 06:45:57    0    d-----w-    c:\program files\TrendMicro
2010-03-05 17:34:06    0    d-----w-    c:\program files\ESET
2010-03-05 16:50:15    0    d-----w-    c:\users\peter\appdata\roaming\ESET
2010-03-05 16:37:31    0    d-----w-    c:\windows\Internet Logs
2010-03-05 10:41:04    0    d-----w-    c:\programdata\ESET
2010-03-04 21:06:56    0    d-----w-    c:\programdata\COMODO
2010-03-04 20:47:32    641536    ----a-w-    c:\windows\system32\CPFilters.dll
2010-03-04 20:47:32    417792    ----a-w-    c:\windows\system32\msdri.dll
2010-03-04 20:47:32    204288    ----a-w-    c:\windows\system32\MSNP.ax
2010-03-04 20:47:31    465408    ----a-w-    c:\windows\system32\psisdecd.dll
2010-03-04 20:47:25    2048    ----a-w-    c:\windows\system32\tzres.dll
2010-03-04 20:46:08    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-03-04 20:38:13    524288    --sha-w-    c:\users\peter\ntuser.dat{07a3c3fa-2783-11df-844f-0027134bc847}.TMContainer00000000000000000002.regtrans-ms
2010-03-04 20:38:12    65536    --sha-w-    c:\users\peter\ntuser.dat{07a3c3fa-2783-11df-844f-0027134bc847}.TM.blf
2010-03-04 20:38:12    524288    --sha-w-    c:\users\peter\ntuser.dat{07a3c3fa-2783-11df-844f-0027134bc847}.TMContainer00000000000000000001.regtrans-ms
2010-03-04 11:46:02    524288    --sha-w-    c:\users\peter\ntuser.dat{b428dccf-276c-11df-8c9e-0027134bc847}.TMContainer00000000000000000002.regtrans-ms
2010-03-04 11:46:01    65536    --sha-w-    c:\users\peter\ntuser.dat{b428dccf-276c-11df-8c9e-0027134bc847}.TM.blf
2010-03-04 11:46:01    524288    --sha-w-    c:\users\peter\ntuser.dat{b428dccf-276c-11df-8c9e-0027134bc847}.TMContainer00000000000000000001.regtrans-ms
2010-03-03 15:41:15    0    d-----w-    c:\users\peter\temp
2010-03-02 14:49:13    0    d-----w-    c:\users\peter\vw
2010-03-02 08:01:10    0    d-----w-    C:\strawberry
2010-02-26 19:34:24    15416    ----a-w-    c:\windows\system32\HPMDPCoInst.dll
2010-02-26 19:34:12    26168    ----a-w-    c:\windows\system32\hpservice.exe
2010-02-26 19:34:02    15416    ----a-w-    c:\windows\system32\accelerometerdll.DLL
2010-02-26 19:33:56    33848    ----a-w-    c:\windows\system32\drivers\Accelerometer.sys
2010-02-21 08:13:53    65536    --sha-w-    c:\users\peter\ntuser.dat{bb6cda3f-1ebf-11df-8e18-0027134bc847}.TM.blf
2010-02-21 08:13:53    524288    --sha-w-    c:\users\peter\ntuser.dat{bb6cda3f-1ebf-11df-8e18-0027134bc847}.TMContainer00000000000000000002.regtrans-ms
2010-02-21 08:13:53    524288    --sha-w-    c:\users\peter\ntuser.dat{bb6cda3f-1ebf-11df-8e18-0027134bc847}.TMContainer00000000000000000001.regtrans-ms
2010-02-18 14:04:07    0    d-----w-    c:\programdata\BVRP Software
2010-02-16 15:16:40    0    d-----w-    c:\program files\MSXML 4.0
2010-02-16 10:23:49    0    d-----w-    C:\Sql
2010-02-16 09:31:49    0    d-----w-    c:\program files\CamStudio
2010-02-10 14:49:57    56    ---ha-w-    c:\windows\system32\ezsidmv.dat
2010-02-10 12:46:39    26600    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-10 12:46:39    107368    ----a-w-    c:\windows\system32\GEARAspi.dll
2010-02-10 12:45:30    0    d-----w-    c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-10 12:45:30    0    d-----w-    c:\program files\iPod
2010-02-10 12:45:29    0    d-----w-    c:\program files\iTunes
2010-02-10 12:44:45    0    d-----w-    c:\program files\Bonjour
2010-02-10 12:43:57    0    d-----w-    c:\programdata\Apple Computer
2010-02-10 12:42:46    0    d-----w-    c:\programdata\Apple
2010-02-09 21:17:23    0    d-----w-    c:\programdata\Log File Storage
2010-02-09 15:37:42    0    d-----w-    c:\users\peter\appdata\roaming\Web Log Explorer
2010-02-09 13:12:20    0    d-----w-    c:\users\peter\appdata\roaming\Web Log DB
2010-02-09 11:58:36    266552    ----a-w-    c:\windows\system32\HMIPCore.dll
2010-02-09 09:59:50    0    d-----w-    c:\users\peter\appdata\roaming\Web Log Suite
2010-02-09 09:59:48    0    d-----w-    c:\users\peter\appdata\roaming\Obsidium
2010-02-09 08:12:44    92184    ----a-w-    c:\windows\system32\SQSRVRES.DLL
2010-02-09 07:55:07    50200    ----a-w-    c:\windows\system32\perf-ReportServer-rsctr.dll
2010-02-09 07:54:07    50200    ----a-w-    c:\windows\system32\perf-SQLSERVERAGENT-sqlagtctr10.0.1600.22.dll
2010-02-09 07:54:01    79896    ----a-w-    c:\windows\system32\perf-MSSQLSERVER-sqlctr10.0.1600.22.dll
2010-02-09 07:51:13    0    d-----w-    c:\windows\system32\RsFx
2010-02-08 20:41:57    0    d-----w-    c:\users\peter\appdata\roaming\Helios

==================== Find3M  ====================

2010-03-09 15:09:24    411368    ----a-w-    c:\windows\system32\deploytk.dll
2010-02-26 19:34:18    25656    ----a-w-    c:\windows\system32\drivers\hpdskflt.sys
2010-02-24 08:16:06    181632    ------w-    c:\windows\system32\MpSigStub.exe
2010-01-27 13:11:33    57936    ----a-w-    c:\windows\fonts\serife_0.fon
2010-01-27 13:07:45    98992    ----a-w-    c:\windows\fonts\Sserife_0.fon
2010-01-18 23:29:31    85504    ----a-w-    c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29:31    85504    ----a-w-    c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29:31    365568    ----a-w-    c:\windows\system32\secproc_isv.dll
2010-01-18 23:29:30    369152    ----a-w-    c:\windows\system32\secproc.dll
2010-01-18 23:28:33    324608    ----a-w-    c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28:33    277504    ----a-w-    c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28:30    320512    ----a-w-    c:\windows\system32\RMActivate.exe
2010-01-18 23:28:30    280064    ----a-w-    c:\windows\system32\RMActivate_ssp.exe
2010-01-18 08:51:15    94319248    ----a-w-    C:\vm.exe
2010-01-17 09:04:42    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2010-01-17 09:02:38    0    --sha-r-    c:\windows\system32\drivers\103C_HP_bNB_EliteBook 8530w_Y5336AN_0U_Q2CE947DVN6_E481385-B71_4A_I30E7_SHP_V90.26_68PDV F.11_T091208_WU48-0_L409_M3037_J320_7Intel_867A_92.80_#100117_N808610F5;80864236_(NU915AW#AK8)_XMOBILE_CN10_Z_2F.11.MRK
2010-01-17 07:59:02    0    ---ha-w-    c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-01-17 07:47:33    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_ATSwpWDF_01009.Wdf
2010-01-17 07:45:23    0    ---ha-w-    c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-01-17 07:44:27    368912    ----a-w-    c:\windows\system32\VBAR332.DLL
2010-01-17 07:44:27    252176    ----a-w-    c:\windows\system32\MSRD2X35.DLL
2010-01-17 07:44:27    24848    ----a-w-    c:\windows\system32\MSJTER35.DLL
2010-01-17 07:44:27    123664    ----a-w-    c:\windows\system32\MSJINT35.DLL
2010-01-17 07:44:27    1045776    ----a-w-    c:\windows\system32\MSJET35.DLL
2010-01-17 00:27:24    21796    ----a-w-    c:\windows\system32\emptyregdb.dat
2009-12-19 09:02:55    977920    ----a-w-    c:\windows\system32\wininet.dll
2009-12-19 09:02:52    12288    ----a-w-    c:\windows\system32\tsbyuv.dll
2009-12-19 09:02:48    1328640    ----a-w-    c:\windows\system32\quartz.dll
2009-12-19 09:02:46    22016    ----a-w-    c:\windows\system32\msyuv.dll
2009-12-19 09:02:45    31744    ----a-w-    c:\windows\system32\msvidc32.dll
2009-12-19 09:02:45    13312    ----a-w-    c:\windows\system32\msrle32.dll
2009-12-19 09:02:40    84480    ----a-w-    c:\windows\system32\mciavi32.dll
2009-12-19 09:02:39    50176    ----a-w-    c:\windows\system32\iyuv_32.dll
2009-12-19 09:02:01    91648    ----a-w-    c:\windows\system32\avifil32.dll
2009-12-12 14:15:30    178176    ----a-w-    c:\windows\system32\unrar.dll
2009-07-14 04:56:42    31548    ----a-w-    c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42    31548    ----a-w-    c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42    291294    ----a-w-    c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42    291294    ----a-w-    c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57    174    --sha-w-    c:\program files\desktop.ini
2009-07-14 00:34:40    291294    ----a-w-    c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40    291294    ----a-w-    c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38    31548    ----a-w-    c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38    31548    ----a-w-    c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35    9633792    --sha-r-    c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45    396800    --sha-w-    c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:19:54,47 ===============

Edited by Barilla, 09 March 2010 - 10:41 AM.


BC AdBot (Login to Remove)

 


#2 Barilla

Barilla
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 AM

Posted 11 March 2010 - 01:07 AM

You can close this thread. The problem is gone.

What I did:
Tried several AV-programs like Avast, Nod32 and F-secure. None of them was able to find the "infection"
Tried MBAM found nothing
Tried a-squared, found and quarantined Backdoor.Win32.Hupigon, Riskware.Win32.KillApp!A2, Trace.TrackingCookie.fastclick!A2 and Trace.TrackingCookie.doubleclick.A2
Tried several "best anti-malware/spyware/adware removers in the World" and they found... yes, you are right... NOTHING.

At this moment:
I'm running F-secure Internet Security on this highest security level (except "block all")
TCPView is running "Always on top" just to see if there is something strange things going on.
Scanning the computer several times a day with a-squared Free and MBAM (and of course F-secure AV)
I'm reinstalling the programs i removed earlier, one by one, and waiting some time just to see if something odd happens.
Keeping my eyes at this excellent forum smile.gif

You may close this thread

Best regards
Barilla

PS. Keep up the good work, guys!

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:31 AM

Posted 12 March 2010 - 01:56 PM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users