Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


not sure what's infecting my computer

  • This topic is locked This topic is locked
3 replies to this topic

#1 andreeafd


  • Members
  • 4 posts
  • Local time:05:11 PM

Posted 12 September 2011 - 06:34 PM

I have gone through the preparation guide recommended on the "Am I infected?" forum. Since I don't know whether I have a problem with my computer and if I do, what the nature of the problem is, I'm going to paste here my initial message on that forum, along with the DDS and GMER logs (GMER is running right now).

My initial message:
I have had a computer for a while, but have only recently started using it on the internet. I have been using Norton Antivirus since going online, to ensure protection. Everything seemed to be fine. About a month ago, I opened some email forward from my mother, which contained a web link, which I stupidly clicked on. The page stated that I would be redirected, but because of some of the text, I felt it would not be safe to keep it open, so closed the page. I then realized I had received several other messages from my mother and a friend, with nothing in the body of the message but various links, so I figured it's a virus. Ever since opening that message, Norton keeps blocking frequent intrusion attacks on my computer, as evidenced here: https://picasaweb.google.com/andreea1369/September122011 Attached File  norton_log_sample.jpg   76.58KB   3 downloads. Here's a sample of a more detailed description that Norton provides on each attack: https://picasaweb.google.com/andreea1369/September12201102 Attached File  norton_log_details.jpg   70.83KB   3 downloads.

I have run a full scan through Norton and have downloaded and ran a full scan through Malwarebytes. Both scans show no infections. Since svchost.exe is a process mentioned in Norton (I know it's a normal process), I looked up the attack online and found out that I should locate the process (did so through task manager) and see if it's in an unusual folder. I find it unusual that svchost.exe is listed several times, as in this image: https://picasaweb.google.com/andreea1369/September12201103 Attached File  processes.jpg   79.95KB   3 downloads. Is that normal? I checked the properties on each occurrence and the last one is located at C:\Windows\SysWOW64, while the others are located at C:\Windows\System32. I realize that WOW64 is a normal folder if I'm running 64-bit Windows (sorry, cannot figure out if that's the case).

I have also read that sometimes the ISP can be doing something to grant this intrusion message from Norton, but I doubt my ISP has been doing this on a regular, daily basis since a few weeks ago.

Finally, I have downloaded Hijack This and it first alerted me that it didn't have access to write in my Hosts folder (is this normal? seems that it may be a built-in Windows security feature) and then I received a log of some 30-40 problems that I don't know whether to fix or analyze, after ignoring the warning and going on with the scan.

Is my computer infected? Should I be posting in the forums where I can submit logs for analysis? Thank you in advance.

In addition to my initial message, other notifications from Norton that have only shown up today and have made me suspicious are:

My DDS log (the Attach.txt document is attached rather than pasted, per instructionsAttached File  Attach.txt   7.05KB   0 downloads):

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Mike at 1:47:22 on 2011-09-13
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3895.1871 [GMT 3:00]
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
============== Running Processes ===============
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files (x86)\Join Air\AssistantServices.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\\ccSvcHst.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Join Air\UIExec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Join Air\UIMain.exe
C:\Program Files (x86)\Join Air\CMUpdater.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig?hl=en
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton AntiVirus\Engine\\IPS\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [UIExec] "C:\Program Files (x86)\Join Air\UIExec.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: Interfaces\{0C309225-B3AA-416D-9F92-EACBB034C022} : NameServer =
TCP: Interfaces\{4B78202E-9D63-4CAB-AEEF-97B8C6802A95} : DhcpNameServer =
TCP: Interfaces\{70DB6CA8-D6E3-4ED7-A07A-81A5476A6641} : DhcpNameServer =
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [UIExec] "C:\Program Files (x86)\Join Air\UIExec.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\fyl2ct67.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\BASHDefs\20110901.001\BHDrvx64.sys [2011-9-2 1151096]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.6.0.29\Definitions\IPSDefs\20110909.030\IDSviA64.sys [2011-9-12 488568]
R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\drivers\NAVx64\1206000.01D\SYMNETS.SYS --> C:\windows\system32\drivers\NAVx64\1206000.01D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 Akamai;Akamai NetSession Interface;C:\windows\System32\svchost.exe -k Akamai [2009-7-14 20992]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-12 366640]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\\ccSvcHst.exe [2011-8-2 130008]
R2 UI Assistant Service;UI Assistant Service;C:\Program Files (x86)\Join Air\AssistantServices.exe [2011-8-21 261456]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-10-19 2320920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-8-2 136824]
R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-10-19 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-6 137560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-19 136176]
S3 bcm;ZTE WiMAX BCM1000;C:\windows\system32\DRIVERS\drxvi314.sys --> C:\windows\system32\DRIVERS\drxvi314.sys [?]
S3 bcmbusctr;ZTE Devices' Enumerator;C:\windows\system32\DRIVERS\BcmBusCtr.sys --> C:\windows\system32\DRIVERS\BcmBusCtr.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-7-19 136176]
S3 hwusbfake;Huawei DataCard USB Fake;C:\windows\system32\DRIVERS\ewusbfake.sys --> C:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;C:\windows\system32\drivers\massfilter.sys --> C:\windows\system32\drivers\massfilter.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 usbws320;ZTE USB WiMAX NIC Switch Driver;C:\windows\system32\DRIVERS\usbws320.sys --> C:\windows\system32\DRIVERS\usbws320.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
=============== Created Last 30 ================
2011-09-12 15:52:27 -------- d-----w- C:\windows\pss
2011-09-12 15:51:29 388096 ----a-r- C:\Users\Mike\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-12 15:51:29 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-09-12 14:49:34 -------- d-----w- C:\Users\Mike\AppData\Roaming\Malwarebytes
2011-09-12 14:49:24 41272 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-09-12 14:49:23 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-12 14:49:19 25912 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-09-12 14:49:19 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-24 17:37:26 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2011-08-24 17:37:26 2048 ----a-w- C:\windows\System32\tzres.dll
2011-08-21 19:19:34 135168 ----a-w- C:\windows\System32\drivers\ZTEusbnet.sys
2011-08-21 19:19:34 119680 ----a-w- C:\windows\System32\drivers\ZTEusbser6k.sys
2011-08-21 19:19:34 119680 ----a-w- C:\windows\System32\drivers\ZTEusbnmea.sys
2011-08-21 19:19:34 119680 ----a-w- C:\windows\System32\drivers\ZTEusbmdm6k.sys
2011-08-21 19:19:34 11776 ----a-w- C:\windows\System32\drivers\massfilter.sys
2011-08-21 19:19:23 -------- d-----w- C:\windows\SysWow64\SupportAppCB
2011-08-21 19:19:18 -------- d-----w- C:\Program Files (x86)\Join Air
==================== Find3M ====================
2011-08-02 12:33:17 174200 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2011-07-22 05:35:08 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-07-22 04:56:17 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2011-07-16 05:26:54 362496 ----a-w- C:\windows\System32\wow64win.dll
2011-07-16 05:26:53 243200 ----a-w- C:\windows\System32\wow64.dll
2011-07-16 05:26:53 13312 ----a-w- C:\windows\System32\wow64cpu.dll
2011-07-16 05:26:18 214528 ----a-w- C:\windows\System32\winsrv.dll
2011-07-16 05:24:09 16384 ----a-w- C:\windows\System32\ntvdm64.dll
2011-07-16 05:21:32 422400 ----a-w- C:\windows\System32\KernelBase.dll
2011-07-16 05:17:46 338432 ----a-w- C:\windows\System32\conhost.exe
2011-07-16 04:36:09 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2011-07-16 04:32:14 44032 ----a-w- C:\windows\apppatch\acwow64.dll
2011-07-16 04:31:50 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2011-07-16 04:30:29 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2011-07-16 04:30:27 272384 ----a-w- C:\windows\SysWow64\KernelBase.dll
2011-07-16 02:26:12 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2011-07-16 02:26:11 2048 ----a-w- C:\windows\SysWow64\user.exe
2011-07-16 02:21:47 6144 ---ha-w- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:44:55 287744 ----a-w- C:\windows\System32\drivers\mrxsmb10.sys
2011-07-08 14:45:12 386168 ----a-r- C:\windows\System32\drivers\NAVx64\1206000.01D\symnets.sys
2011-06-23 05:29:39 5507968 ----a-w- C:\windows\System32\ntoskrnl.exe
2011-06-23 04:38:05 3957120 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:38:04 3902336 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2011-06-21 06:27:14 1896832 ----a-w- C:\windows\System32\drivers\tcpip.sys
2011-06-21 06:20:48 1197056 ----a-w- C:\windows\System32\wininet.dll
2011-06-21 06:20:06 57856 ----a-w- C:\windows\System32\licmgr10.dll
2011-06-21 05:36:36 981504 ----a-w- C:\windows\SysWow64\wininet.dll
2011-06-21 05:35:05 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll
2011-06-21 05:05:13 482816 ----a-w- C:\windows\System32\html.iec
2011-06-21 04:26:02 386048 ----a-w- C:\windows\SysWow64\html.iec
2011-06-15 09:58:31 212992 ----a-w- C:\windows\System32\odbctrac.dll
2011-06-15 09:58:31 163840 ----a-w- C:\windows\System32\odbccp32.dll
2011-06-15 09:58:31 106496 ----a-w- C:\windows\System32\odbccu32.dll
2011-06-15 09:58:31 106496 ----a-w- C:\windows\System32\odbccr32.dll
2011-06-15 09:04:46 86016 ----a-w- C:\windows\SysWow64\odbccu32.dll
2011-06-15 09:04:46 81920 ----a-w- C:\windows\SysWow64\odbccr32.dll
2011-06-15 09:04:46 319488 ----a-w- C:\windows\SysWow64\odbcjt32.dll
2011-06-15 09:04:46 163840 ----a-w- C:\windows\SysWow64\odbctrac.dll
2011-06-15 09:04:46 122880 ----a-w- C:\windows\SysWow64\odbccp32.dll
============= FINISH: 1:48:28.75 ===============

At the end of the scan, GMER showed a message stating that "GMER detected no system modifications." It did not create a log. I was unable to perform the GMER scan exactly per the instructions in the preparation guide. More than half of the areas to check were disabled in GMER and the tick boxes were not active, so I couldn't enable them. The only areas that GMER was able to scan were Services, Registry, Files, C and ADS--see attached screen shot: Attached File  GMER screen.jpg   45.01KB   2 downloads. Drives other than C were not even listed as options (let alone enabled), which is strange, because the computer has other drives, obviously. I am using a thumb drive to connect to the internet. If malware/a virus is on the thumbdrive, GMER will not have scanned it. I'm not sure that DDS will have either.

Thanks a lot for considering my question. :blush:

BC AdBot (Login to Remove)


#2 andreeafd

  • Topic Starter

  • Members
  • 4 posts
  • Local time:05:11 PM

Posted 12 September 2011 - 06:49 PM

Don't want to submit too much information, but since I have no idea what's going on, I hope sending out another quick bit is better than not. Looking at my Norton history today I noticed that, among the usual blocked intrusion attempts, Norton was showing two messages I had not seen before, both related to "High Disk Write usage." In one case, the High Disk Write usage was by Windows Search Indexer (sounds pretty innocuous). In the second case, the High Disk Write usage was by uimain.exe. Since this sounded strange, I looked it up on Google and found out it was a normal process that should be located in C:\Windows\System32. I performed a search for "uimain.exe" from the start-up button and it shows as located in C:\Program Files (x86)\Join Air. Join Air is the name of my mobile internet application.

Is this strange? Is it possibly related to the intrusion attempts? Or am I just paranoid? :angry:

#3 nasdaq


  • Malware Response Team
  • 38,940 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 AM

Posted 19 September 2011 - 10:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nothing suspicious was found on your DDS log.

Lets check further.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.

How to : Disable Anti-virus and Firewall...

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please post the logs for my review.

#4 nasdaq


  • Malware Response Team
  • 38,940 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:11 AM

Posted 26 September 2011 - 07:49 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users