Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SpyNet


  • This topic is locked This topic is locked
4 replies to this topic

#1 XxNickTxX

XxNickTxX

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 26 February 2011 - 04:11 AM

I stupidly opened a .exe file and instantly Avast! popped-up and told me there was a trojan but it took care of it, but every 5-10 seconds the trojan re-appears in C:/Windows/SysWOW64/Spynet as service.exe and Avast just keeps throwing it back into the vault.

I'm not too worried about it stealing my information.. i just need to know how to remove it permantly.


DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Nick at 4:10:07.05 on Sat 02/26/2011
Internet Explorer: 9.0.7930.16406 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.1040 [GMT -5:00]

AV: avast! Internet Security *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Internet Security *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: avast! Internet Security *Enabled* {FB460EB6-4C6D-E564-6BF5-EEEF2B44B473}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Alwil Software\Avast5\afwServ.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\PowerISO\PowerISO.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Windows\explorer.exe
C:\Users\Nick\Desktop\Stuff\Install\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\DivX\DivX Plus Player\DivX Plus Player.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Users\Nick\Desktop\Stuff\Install\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files (x86)\Megaupload\Mega Manager\MegaIEMn.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2317.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2317.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2317.0\npwinext.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [FileHippo.com] "C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe" /background
uRun: [Google Update] "C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [RegistryMechanic]
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
uRun: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [HKCU] C:\Windows\system32\spynet\server.exe
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
uExplorerRun: [Policies] C:\Windows\system32\spynet\server.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: acaptuser32.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun-x64: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
mRun-x64: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
mRun-x64: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
AppInit_DLLs-X64: acaptuser64.dll

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\j0dhi3v6.default\
FF - prefs.js: browser.startup.homepage - hxxp://notch.tumblr.com/
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2317.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Nick\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\j0dhi3v6.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A}\plugins\npSlingPlayer.dll
FF - plugin: C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\j0dhi3v6.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: C:\Users\Nick\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Nick\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Nick\AppData\Roaming\Mozilla\plugins\npoctoshape.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 1\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: Split Browser: {29c4afe1-db19-4298-8785-fcc94d1d6c1d} - %profile%\extensions\{29c4afe1-db19-4298-8785-fcc94d1d6c1d}
FF - Ext: The Camelizer: izer@camelcamelcamel.com - %profile%\extensions\izer@camelcamelcamel.com
FF - Ext: WebSlingPlayer: {9EB34849-81D3-4841-939D-666D522B889A} - %profile%\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: RSS Ticker: {1f91cde0-c040-11da-a94d-0800200c9a66} - %profile%\extensions\{1f91cde0-c040-11da-a94d-0800200c9a66}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;C:\Windows\System32\drivers\aswNdis.sys [2011-1-26 12368]
R0 aswNdis2;avast! Firewall Core Firewall Service;C:\Windows\System32\drivers\aswNdis2.sys [2011-1-26 250448]
R1 aswFW;avast! TDI Firewall driver;C:\Windows\System32\drivers\aswFW.sys [2011-1-26 125520]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-1-26 472656]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-1-26 121936]
R2 AODService;AODService;C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe [2010-7-1 136616]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-1-26 20048]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-1-26 61008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-26 40384]
R2 avast! Firewall;avast! Firewall;C:\Program Files\Alwil Software\Avast5\afwServ.exe [2011-1-26 119200]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-7-9 248936]
R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-2-14 2253688]
R3 AODDriver2;AODDriver2;C:\Program Files (x86)\AMD\OverDrive\amd64\AODDriver2.sys [2010-7-1 52352]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-26 40384]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\System32\drivers\ManyCam_x64.sys [2008-3-13 27136]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-6-23 344680]
S1 AmdTools;AMD Special Tools Driver;C:\Windows\System32\drivers\AmdTools64.sys [2010-6-2 38912]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-26 1153368]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-11-2 1255736]

=============== Created Last 30 ================

2011-02-26 08:26:40 -------- d-----w- C:\Users\Nick\AppData\Roaming\Malwarebytes
2011-02-26 08:26:35 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-26 08:26:35 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-02-26 08:26:32 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-02-26 08:26:32 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-02-26 06:53:38 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-02-26 06:53:38 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2011-02-26 03:45:24 -------- d-----w- C:\Program Files (x86)\Rosetta Stone
2011-02-26 03:45:24 -------- d-----w- C:\PROGRA~3\Rosetta Stone
2011-02-24 01:36:47 -------- d-----w- C:\Users\Nick\AppData\Roaming\gamesport
2011-02-24 01:36:45 -------- d-----w- C:\Program Files (x86)\Kubik
2011-02-23 08:00:52 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2011-02-23 08:00:51 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2011-02-22 21:09:16 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-02-22 21:09:16 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-02-22 21:09:15 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-02-22 21:09:15 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-02-22 21:08:28 7844688 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{13E8B117-5FBF-4741-9C7E-A750B3036B4A}\mpengine.dll
2011-02-21 02:44:03 -------- d-----w- C:\Users\Nick\AppData\Local\PunkBuster
2011-02-21 02:36:18 270240 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-02-21 02:36:18 189248 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-02-21 02:36:13 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-02-21 01:31:21 -------- d-----w- C:\Program Files (x86)\EA Games
2011-02-20 06:15:40 -------- d-----w- C:\Users\Nick\AppData\Roaming\Megaupload
2011-02-20 06:14:46 -------- d-----w- C:\Program Files (x86)\Megaupload
2011-02-14 22:20:21 -------- d-----w- C:\Users\Nick\AppData\Roaming\TeamViewer
2011-02-14 22:17:44 -------- d-----w- C:\Program Files (x86)\TeamViewer
2011-02-13 11:38:35 -------- d-----w- C:\Users\Nick\AppData\Local\PassMark
2011-02-13 10:56:06 540688 ----a-w- C:\Windows\System32\d3dx10_39.dll
2011-02-13 10:56:06 1942552 ----a-w- C:\Windows\System32\D3DCompiler_39.dll
2011-02-13 10:56:03 4992520 ----a-w- C:\Windows\System32\D3DX9_39.dll
2011-02-13 10:55:59 3977496 ----a-w- C:\Windows\System32\d3dx9_31.dll
2011-02-13 10:55:23 -------- d-----w- C:\PROGRA~3\Passmark
2011-02-13 10:55:22 -------- d-----w- C:\Program Files\PerformanceTest
2011-02-10 08:00:34 2381824 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-02-10 08:00:34 2381824 ----a-w- C:\Windows\System32\mshtml.tlb
2011-02-10 08:00:33 1502208 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-02-10 08:00:33 1448448 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-02-08 21:16:48 -------- d-----w- C:\Program Files (x86)\Cool MP3 Splitter
2011-02-05 19:00:01 -------- d-----w- C:\Program Files (x86)\AMD
2011-02-05 18:59:23 -------- d-----w- C:\Users\Nick\AppData\Local\Downloaded Installations
2011-01-30 20:47:51 -------- d-----w- C:\Users\Nick\VirtualBox VMs
2011-01-30 20:07:59 -------- d-----w- C:\Users\Nick\.VirtualBox
2011-01-30 20:07:09 226448 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
2011-01-30 20:06:57 54864 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
2011-01-30 20:06:49 -------- d-----w- C:\Program Files\Oracle
2011-01-30 07:18:05 -------- d-----w- C:\Users\Nick\AppData\Local\jagexlauncher

==================== Find3M ====================

2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
2011-01-18 22:05:48 154256 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
2011-01-18 22:05:46 318992 ----a-w- C:\Windows\System32\VBoxNetFltNotify.dll
2011-01-18 22:05:46 173840 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
2011-01-18 03:57:50 40128 ----a-w- C:\Windows\System32\drivers\tap0901.sys
2011-01-07 08:06:50 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-01-07 07:27:11 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-01-07 05:49:20 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-01-07 05:33:11 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys
2010-12-22 04:41:30 80896 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll
2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll
2010-12-21 06:16:16 214016 ----a-w- C:\Windows\System32\winsrv.dll
2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll
2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll
2010-12-21 06:15:55 264192 ----a-w- C:\Windows\System32\upnp.dll
2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll
2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll
2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll
2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll
2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll
2010-12-18 06:11:34 714752 ----a-w- C:\Windows\System32\kerberos.dll
2010-12-18 05:29:31 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
2010-12-16 22:58:14 40816 ----a-w- C:\Windows\System32\drivers\ElbyCDIO.sys
2010-12-06 13:31:46 265992 ----a-w- C:\Windows\System32\PDBoot.exe
2010-12-01 19:06:31 125512 ----a-w- C:\Windows\System32\drivers\AnyDVD.sys

============= FINISH: 4:10:30.80 ===============


Thanks guys, i appreciate it.

EDIT: Please be patient. There are over 200 unanswered topics in this forum at present and the current average wait time to receive help is 7 days. ~BP

Attached Files


Edited by Budapest, 03 March 2011 - 10:51 PM.


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:07 AM

Posted 04 March 2011 - 09:55 AM

Hi XxNickTxX, and welcome to Bleeping Computer.

Firstly,
  • Please launch Malwarebytes' Anti-Malware, click the Update tab, and then Check for Updates.
  • Then choose the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Secondly,
Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 XxNickTxX

XxNickTxX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 04 March 2011 - 11:04 PM

Hey, thanks for the help.

I ran MBAM as instructed and came up with 131,000 infected files (That's alot i'm guessing). I got rid of all of them, restarted and it seemed to get rid of the problem. I don't want it coming back so i continued and ran OTL as instructed and it freezes when scanning my firefox settings...

I'm not sure if you want me to continue working on this as it SEEMS to be resolved (Not sure, i'd much rather be safe than sorry though.)

I've included a snippet of my log from MBAM, as it is litterly the same thing over and over again for 131,000 lines just with slightly different names.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5954

Windows 6.1.7600
Internet Explorer 9.0.7930.16406

3/4/2011 8:13:34 PM
mbam-log-2011-03-04 (20-13-34).txt

Scan type: Quick scan
Objects scanned: 184388
Time elapsed: 57 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 131077

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Backdoor.Bot) -> Value: Policies -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Windows\System32\spynet (Trojan.Backdoor) -> Delete on reboot.
c:\Windows\SysWOW64\spynet (Trojan.Backdoor) -> Delete on reboot.

Files Infected:
c:\Users\Nick\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\server.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\spynet\server.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Users\Nick\AppData\Local\Temp\MSN.abc (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Nick\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Nick\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Nick\AppData\Local\Temp\xxxyyyzzz.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz10.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz100.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1000.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1001.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1002.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1003.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1004.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1005.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1006.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1007.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1008.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1009.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz100A.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz100B.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz100C.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz100D.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz100E.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz100F.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz101.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1010.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1011.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1012.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1013.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1014.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1015.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1016.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1017.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1018.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1019.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz101A.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz101B.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz101C.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz101D.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz101E.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz101F.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz102.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1020.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1021.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1022.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1023.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1024.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1025.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1026.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1027.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1028.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1029.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz102A.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz102B.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz102C.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz102D.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz102E.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz102F.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz103.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
c:\Windows\System32\spynet\trz1030.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.


Edited by XxNickTxX, 04 March 2011 - 11:04 PM.


#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:07 AM

Posted 05 March 2011 - 05:52 AM

Hi again XxNickTxX!!.. :)

I ran MBAM as instructed and came up with 131,000 infected files (That's alot i'm guessing). I got rid of all of them, restarted and it seemed to get rid of the problem. I don't want it coming back so i continued and ran OTL as instructed and it freezes when scanning my firefox settings...

Yep, that's indeed a lot!!..
If you were using the latest version of OTL (3.2.22.2), and no malware problem remains, I guess a fresh DDS scan will do...

So, firstly,
We need to update outdated programs (with security vulnerabilities) on your machine:

- Adobe Acrobat Reader:

You've got a PRO version installed of Adobe Acrobat:
Adobe Acrobat 9 Pro Extended - English, Franšais, Deutsch
Adobe Acrobat 9.3.4 - CPSID_83708


--> Help --> Check for updates - let it update to the newest version...

You've got also a free version of Adobe Reader 9.3.3 installed... I highly recommend you update it: --> Help --> Check for updates - let it update to the newest version... And, if possible, consider updating it to the tenth version:

Adobe Reader X

Note: I suggest you uncheck an optional, third-party download (eg. McAfee Security Scan Plus).

After successfully installing Adobe Reader X, see this article on how to make this program more secure: Adobe Reader X secures itself by playing in the sandbox.


- Java

Go to Start -> Control Panel -> Programs and Features, highlight a program to see the available option on the toolbar for it. Choose Uninstall for:
Java™ 6 Update 20
Java™ 6 Update 23


Then,
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says Java Platform, Standard Edition / "Java SE 6 Update 24".
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe that you downloaded to install the newest version.

- Mozilla Firefox (3.6.13) --> Help --> Check for updates - let it update to the newest version - 3.6.15

- Adobe Flash Player:

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).


Secondly, run an online scan:
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer (32 bit version - Start --> All programs --> Internet Explorer) for this scan. Internet Explorer must be run as administrator - right click and choose: Run as administrator.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files (x86)\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Thirdly,
Run a fresh scan with DDS (as instructed in the FAQ), post the contents of DDS.txt in your reply (no need for Attach.txt)...
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:07 AM

Posted 20 March 2011 - 03:40 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users