Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Bytes changed


  • This topic is locked This topic is locked
2 replies to this topic

#1 stu96art

stu96art

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 03 August 2011 - 10:56 PM

I have multiple problems and I believe they are all coming from the same place. Of course I do not know where that place is, but it has seemed to change my Malwarebytes. Now when I right click on the icon on my desktop, there is a new entry titled 'start'. I haven't clicked on it cause I know it is not supposed to be there. I have also noticed that my Malwarebytes now does not have auto protect. Also, when running Malwarebytes there is a blank, white window that opens and closes very quickly. This also occurs when I restart my computer.

Here are the log files:

### DDS.txt ###

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by stu96art at 21:56:08 on 2011-08-03
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3318.1735 [GMT -5:00]
.
AV: Microsoft Forefront Client Security *Enabled/Outdated* {2E6C4BAB-3371-CD46-62DC-0E0A86B42619}
SP: Microsoft Forefront Client Security *Enabled/Outdated* {950DAA4F-154B-C2C8-586C-3578FD336CA4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\Apoint .exe
C:\Program Files\IDT\WDM\sttray .exe
C:\Program Files\Common Files\Java\Java Update\jusched .exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor .exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.uta.edu/
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam .exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [29QhegyX3DVVhzzb] c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\oulwsvm.exe
dRun: [8DDYX0ZBPZ] c:\windows\temp\Zzv.exe
dRun: [XMZH42I4GI] c:\windows\temp\Zzw.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: uta.edu
Trusted Zone: uta.edu\csprd
Trusted Zone: uta.edu\webct
Trusted Zone: uta.edu\www
Trusted Zone: uta.edu\www
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.logging.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{01164F78-70F1-4C3F-A034-C6D07CADE58C} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{01164F78-70F1-4C3F-A034-C6D07CADE58C}\55451477962756C6563737023556475707 : DhcpNameServer = 129.107.62.80 129.107.31.80 129.107.45.80
TCP: Interfaces\{59899695-2703-4859-AD72-D620297215A2} : DhcpNameServer = 129.107.31.80 129.107.62.80 129.107.45.80
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\stu96art.mavx101228\appdata\roaming\mozilla\firefox\profiles\ge3j6xqd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.queryscan.com/?tmp=nemo_results_removelink&prt=QryscanNN&keywords=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\stu96art.mavx101228\appdata\roaming\mozilla\firefox\profiles\ge3j6xqd.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2010-9-30 81920]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2009-6-3 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-10-7 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-26 366640]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2010-9-30 1612392]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-9-30 59904]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-9-30 2533400]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-8-16 592120]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-9-30 224424]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-9-30 125696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-4 22712]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-8-26 69616]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2010-7-14 6814720]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-9-30 68200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 38916]
.
=============== File Associations ===============
.
exefile="c:\windows\system32\config\systemprofile\appdata\local\lcn.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-08-02 08:34:33 112640 ----a-w- c:\programdata\0S82TW1a.exe
2011-07-30 02:31:01 -------- d-----w- c:\program files\Yontoo Layers Runtime
2011-07-30 02:31:00 -------- d-----w- c:\programdata\Tarma Installer
2011-07-30 01:35:41 -------- d-----w- c:\users\stu96art.mavx101228\appdata\roaming\CattaleGames
2011-07-30 01:31:14 -------- d-----w- c:\program files\Lara Gates - The Lost Talisman
2011-07-30 01:22:22 -------- d-----w- c:\users\stu96art.mavx101228\appdata\roaming\Skunk Studios
2011-07-30 01:20:03 -------- d-----w- C:\Games
2011-07-28 04:11:18 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-07-28 04:11:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-28 03:25:33 87552 ----a-w- c:\windows\system32\wudriver.dll
2011-07-28 03:25:31 33792 ----a-w- c:\windows\system32\wuapp.exe
2011-07-28 03:25:31 171608 ----a-w- c:\windows\system32\wuwebv.dll
2011-07-28 03:24:48 2421760 ----a-w- c:\windows\system32\wucltux.dll
2011-07-28 03:24:19 -------- d-----w- C:\12bbd23d1806346b0e99da
2011-07-26 14:29:05 -------- d-----w- C:\d204016efdc54b4e61c94e
2011-07-26 05:42:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-26 01:19:32 388096 ----a-r- c:\users\stu96art.mavx101228\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-26 01:19:31 -------- d-----w- c:\program files\Trend Micro
2011-07-25 23:50:20 -------- d-----w- c:\programdata\jL10513EmBnP10513
2011-07-25 23:41:45 64000 --sha-r- c:\windows\system32\mlang8.dll
2011-07-25 04:41:30 -------- d-----w- c:\programdata\QueryScan
2011-07-25 04:41:30 -------- d-----w- c:\program files\QueryScan
2011-07-25 04:40:38 -------- d-----w- c:\program files\MPAccess
2011-07-25 01:19:01 -------- d-----w- c:\program files\Malwarebytes
2011-07-25 00:59:45 -------- d-----w- C:\40c2789f180ef6c371
2011-07-25 00:34:29 -------- d-----w- c:\users\stu96art.mavx101228\appdata\roaming\PC Tools
2011-07-25 00:34:29 -------- d-----w- c:\programdata\PC Tools
2011-07-25 00:34:29 -------- d-----w- c:\program files\Spyware Doctor
2011-07-25 00:34:29 -------- d-----w- c:\program files\common files\PC Tools
2011-07-21 15:13:03 -------- d-----w- c:\program files\Microsoft Visual Studio .NET
2011-07-19 03:05:40 -------- d-----w- C:\061594e5e2f7e5ce551f51da50a257
2011-07-14 01:02:59 -------- d-----w- c:\program files\EAABot
2011-07-13 04:39:05 -------- d-----w- c:\program files\CityVilleBot
2011-07-07 16:55:34 -------- d-----w- c:\users\stu96art.mavx101228\appdata\roaming\TeamViewer
.
==================== Find3M ====================
.
2011-07-17 03:49:36 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-07-17 03:49:36 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-17 03:49:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-07-17 03:49:36 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-07-17 03:49:35 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-08 12:55:36 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 12:55:36 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 21:57:44.79 ===============


### GMER log (ark.txt) ###

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-03 22:43:05
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD25 rev.01.0
Running: gmer.exe; Driver: C:\Users\STU96A~1.MAV\AppData\Local\Temp\kfwdapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83852599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83876F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Users\STU96A~1.MAV\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtProtectVirtualMemory 77D55380 5 Bytes JMP 0032000A
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtWriteVirtualMemory 77D55F00 5 Bytes JMP 0033000A
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!KiUserExceptionDispatcher 77D56448 5 Bytes JMP 002D000A
.text C:\Windows\system32\svchost.exe[1120] ole32.dll!CoCreateInstance 768257FC 5 Bytes JMP 0117000A
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!GetCursorPos 761BC198 5 Bytes JMP 011D000A
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!GetForegroundWindow 761C565D 5 Bytes JMP 011F000A
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!WindowFromPoint 761E6D0C 5 Bytes JMP 011E000A
.text C:\Windows\Explorer.EXE[1468] ntdll.dll!NtProtectVirtualMemory 77D55380 5 Bytes JMP 0019000A
.text C:\Windows\Explorer.EXE[1468] ntdll.dll!NtWriteVirtualMemory 77D55F00 5 Bytes JMP 001E000A
.text C:\Windows\Explorer.EXE[1468] ntdll.dll!KiUserExceptionDispatcher 77D56448 5 Bytes JMP 0018000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1848] USER32.dll!SetWindowLongA 761BB1E3 5 Bytes JMP 60E7EDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1848] USER32.dll!SetWindowLongW 761C6614 5 Bytes JMP 60E7ED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1848] USER32.dll!GetWindowInfo 761C6A82 5 Bytes JMP 60C95451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1848] USER32.dll!TrackPopupMenu 761E4B3B 5 Bytes JMP 60C95A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] ntdll.dll!NtProtectVirtualMemory 77D55380 5 Bytes JMP 01C8000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] ntdll.dll!NtWriteVirtualMemory 77D55F00 5 Bytes JMP 01C9000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] ntdll.dll!KiUserExceptionDispatcher 77D56448 5 Bytes JMP 01B3000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] USER32.dll!DrawTextExW 761C7BDD 5 Bytes JMP 0091D579
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] USER32.dll!DrawTextW 761C8220 5 Bytes JMP 0091D3B7
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] USER32.dll!SetClipboardData 761D4979 5 Bytes JMP 0091D02D
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] USER32.dll!DrawTextA 761DA482 5 Bytes JMP 0091D2DC
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] USER32.dll!DrawTextExA 761DA4B9 5 Bytes JMP 0091D492
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] USER32.dll!DialogBoxParamW 761E564A 5 Bytes JMP 0091C46C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] GDI32.dll!ExtTextOutW 777E8053 5 Bytes JMP 0091D744
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] GDI32.dll!GetGlyphIndicesW 777EB521 5 Bytes JMP 0091DBD1
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] GDI32.dll!ExtTextOutA 777F0158 5 Bytes JMP 0091D660
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] GDI32.dll!TextOutA 777F0878 5 Bytes JMP 0091D144
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] GDI32.dll!TextOutW 778014B9 5 Bytes JMP 0091D210
.text C:\Program Files\Mozilla Firefox\firefox.exe[2872] GDI32.dll!GetGlyphIndicesA 7780BC42 5 Bytes JMP 0091DB04

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet@5 6848

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\377719X1\page-1__limit-50__engine-meta__type-web__query-camps+in+the+summer[1].htm 1248 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GK6I8ITQ\checkBrowser[2].htm 2232 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GK6I8ITQ\like[1].htm 4549 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GM7VFL74\Best-Credit-Cards[1].gif 1105 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GM7VFL74\4_300x200[1].png 2353 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GP2ZR86E\companion[1].htm 1833 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GP2ZR86E\sandbox[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GP2ZR86E\4_sony142[1].png 2167 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JU7ZLGDC\iframe[1].htm 74 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\preloading[1].gif 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\like[1].htm 7348 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\FreedomVISA[1].jpg 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\redirect[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\iframe[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\iframe[1].js 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\channels[1].htm 146707 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\chateaugay_com[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\checkBrowser[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\ad[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\VentureOnecardimg[1].jpg 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KODRXT3F\facebook[1].png 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TPWU7FTD\iframe[1].js 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TPWU7FTD\ping[1].htm 158 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TPWU7FTD\adholder[1].htm 401 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTL0UH0V\champ_banner2[1].jpg 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTL0UH0V\checkBrowser[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTL0UH0V\interstitial[1].js 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTL0UH0V\jquery.min[1].js 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YTL0UH0V\jquery[1].js 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW48A3Y4\iframe[2].js 43 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZBVNRMZ\nav_facilities-over[1].gif 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZBVNRMZ\checkBrowser[1].htm 2842 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZBVNRMZ\pnav_indoor[1].jpg 4866 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZBVNRMZ\logo[1].gif 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZBVNRMZ\xd_receiver[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZBVNRMZ\img_3reasons[1].jpg 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZBVNRMZ\iframe[1].htm 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YZBVNRMZ\iframe[2].htm 74 bytes

---- EOF - GMER 1.0.15 ----


Please let me know if there is anything I can do. Thanks in advance for any help you can give.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:59 PM

Posted 10 August 2011 - 04:27 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:59 PM

Posted 24 November 2012 - 05:41 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users