Hi guys,
Thank you for reading this and hope we get somewhere.
I was initially infected with this trojan approximately one week ago. Symptoms are url redirect to 'licosearch' amongst others.
I formatted, re-installed windows 7 and up it popped again.
I did a complete format (even tried a low-level, or as close as possible to) and re-installed only to have it pop up again.
A malware bytes scan reveals two infections:
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5347
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
18/12/2010 11:51:08
mbam-log-2010-12-18 (11-51-08).txt
Scan type: Full scan (C:\|)
Objects scanned: 167090
Time elapsed: 11 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\WILL\qwers\setup2.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\WILL\qwert\oops1.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
----------------------------------
DDS (Ver_10-12-12.02) - NTFSx86
Run by WILL at 11:51:30.63 on 18/12/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.1023.352 [GMT 0:00]
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\WILL\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\will\appdata\roaming\microsoft\windows\start menu\programs\startup\sjwgpsqe.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
================= FIREFOX ===================
FF - ProfilePath - c:\users\will\appdata\roaming\mozilla\firefox\profiles\2fdoly1e.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
============= SERVICES / DRIVERS ===============
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2007-2-14 2593792]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
=============== Created Last 30 ================
2010-12-18 11:51:12 54016 ----a-w- c:\windows\system32\drivers\bpnnhm.sys
2010-12-18 11:04:00 -------- d-----w- c:\users\will\appdata\roaming\Process Hacker 2
2010-12-18 10:58:51 -------- d-----w- c:\users\will\appdata\roaming\Malwarebytes
2010-12-18 10:56:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-18 10:56:39 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-18 10:56:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 10:56:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-18 10:46:01 -------- d-----w- c:\users\will\qwert
2010-12-18 10:45:51 -------- d-----w- c:\users\will\qwers
2010-12-18 03:21:02 -------- d-----w- c:\windows\Panther
2010-12-17 19:45:13 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{d36ba9cc-d19e-4a45-9064-9ea6bbc861bf}\mpengine.dll
2010-12-17 19:45:12 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-17 19:32:14 -------- d-----w- c:\windows\system32\wbem\Performance
==================== Find3M ====================
============= FINISH: 11:51:58.37 ===============
Hope this is the correct information having read the what to do first section here; apologies if not.
Any help would be most appreciated. I am guessing the MBR must be infected but surely that would have been formatted when I did a low level (sic) one?