Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

S.M.A.R.T. Check Virus - Possible residual infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 ViralVictim

ViralVictim

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 06 June 2012 - 01:05 PM

Hello,

I was infected with the SMART Check virus yesterday. Multiple messages started to pop up stating "SYSTEM MESSAGE- WRITE FAULT ERROR" and upon closing the first one a window showing a psuedo-scan using "S.M.A.R.T. Check" appeared. I immediately forced my computer to shut off, pressing and holding the power button. I then restared, foolishly in Normal Mode to the same immediate results and I again forced a shut down before the "scan" could finish, this time restarting in Safe Mode with Networking. At this point I felt safe enough to do a little Google research online; honestly, feeling I really had no choice but to hopefully find out what was happening.

I went on Microsoft Security Essentials' site, figuring I could trust it. Upon reading their posts on this issue I was able to find out that my blank, black screen was do to hidden files and how to unhide them using KuttusRam's posts on this thread, http://answers.microsoft.com/en-us/protect/forum/protect_scanning/smart-check-suddenly-came-up-on-my-computer-with/3ecb4a14-6193-47a2-9ddc-7a15ec4e4486. His posts also helped me restore my Start Menu program folders and my Microsoft Office program files in the Start Menu apparently hidden in a Temp folder. This encouraged me to go further as I felt progress was being made.

Because my ISO provider is Bell Canada and I have used their security services since 2002 and more than a year on this specific computer for my antivirus, antispyware, firewall, wi-fi security and fraud protection I thought I should try to run their antivirus program first. I could not access this program and ended up on their support website chatting with a rep that I allowed to control my desktop to so he could fix this problem. He did fix it and I was able to run the deep scan. This did nothing, as it found nothing. I turned the computer off for the night, hoping in the morning I would not see the same issues, but deep down knowing the virus was still there.

This morning as I started the computer up it opened in Normal Mode before I could establish a Safe Mode boot and the multiple messages came up immediately, again prompting me to force another shut down. And I now knew for sure the virus was still around. In Safe Mode now, I went to your forum and followed your "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" post. After registering I thought I should give Bell Canada another try using their rep and he, Adam, seemed to think he knew exactly what to do and again I was asked for control of my desktop, which I relinquished. Upon taking control he went directly to a website called gur.in and downloaded a program called "SuperAntiSpyware" (SAS) to my computer; which btw, also downloaded Chrome. He was not very good at communicating what he was doing or what his intensions were, yet I still allowed this action trusting Bell Canada. He ran a scan using SAS that found 16 Spyware Threats and 1 Registry Threat, then asked my permission to delete the Threats. Of course, I said yes. He seemed pleased with himself and apparently considered his job well done. Here's where things got a little sticky.

Now, I am telling you all this so you will know my hesitations about Bell Canada's rep, Adam's "job well done". I am still having access issues to Start Menu icons usually on the right hand side of the menu. I brought this up to him and he told me that he got rid of my "maximum threats" but I "still have maximum virus" and I must reinstall my OS and reformat my HD. I have attached the chat below so you can follow our interaction about this drastic measure. Please excuse my snarkiness towards the end, as I was beginging to get a little frustrated with Adam's lack of real communication and dismissal of my concerns. Before I went any further I decided to contact your forum.

So, this pretty well explains where I am and how I got here concerning the issues my with one year old PC. I am looking for reassurance that the virus is completely gone and hopfully some direction on how I might be able to proceed to get my old settings back. I noticed I am also missing my Favourites in IE, but curiously not in FireFox. It is quite possible I will find more things amiss as I use the computer, but I am refraining from most, if not all, use until I hear from someone here. The DDS.txt file is copied below and the Attach.txt file is attached, as requested. Thank you for taking your time to help me and all of us out. It definitely does not go unappreciated.

Be Well,

ViralVictim


________________________________________________________________________________________________________________________



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Suleman at 11:30:52 on 2012-06-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8191.5608 [GMT -4:00]
.
AV: Bell Internet Security Services Anti-Virus *Enabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
SP: Bell Internet Security Services Anti-Spyware *Enabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bell Internet Security Services Firewall *Enabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Bell\Bell Internet Security Services\Fws.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\Program Files (x86)\Bell\Bell Internet Security Services\rps.exe
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\TRENDnet\Common\RaUI.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Bell\Internet Service Advisor\BISA.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe
C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\CNRpc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\ProgramData\FileOpen\Services\FileOpenManagerSvc64.exe
C:\Program Files (x86)\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe
C:\Program Files (x86)\TRENDnet\Common\RaRegistry.exe
C:\Program Files (x86)\TRENDnet\Common\RaRegistry64.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Bell\Internet Service Advisor\ServicepointService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Personal Vault Backup Manager\VaultClientSRV.exe
C:\Program Files (x86)\Personal Vault Backup Manager\VaultClientUpgrade.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Bell\Internet Service Advisor\BISAComHandler.exe
C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files (x86)\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSMonitor.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k bdx
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_2_202_235_ActiveX.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/webhp?hl=en&tab=lw
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [<NO NAME>]
uRun: [NokiaOviSuite2] C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [BISA.exe] "C:\Program Files (x86)\Bell\Internet Service Advisor\BISA.exe" /AUTORUN
mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun: [RoxioNowMediaManagerApp] C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe -start
mRun: [NokiaMServer] C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
StartupFolder: C:\Users\Suleman\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files\Logitech\SetPoint\SetPoint.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TRENDN~1.LNK - C:\Program Files (x86)\TRENDnet\Common\RaUI.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: ocad.ca\mycourses
Trusted Zone: ocad.ca\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3F75A6AB-2703-4582-97DD-415500CD0D32} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3F75A6AB-2703-4582-97DD-415500CD0D32}\2454C4C403034333 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3F75A6AB-2703-4582-97DD-415500CD0D32}\2454C4C4034333 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3F75A6AB-2703-4582-97DD-415500CD0D32}\C696E6B6379737 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{D98FF4AC-4694-4E34-BC1C-53B3A8ABFD89} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun-x64: [BISA.exe] "C:\Program Files (x86)\Bell\Internet Service Advisor\BISA.exe" /AUTORUN
mRun-x64: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun-x64: [RoxioNowMediaManagerApp] C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe -start
mRun-x64: [NokiaMServer] C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Suleman\AppData\Roaming\Mozilla\Firefox\Profiles\g0zzf9mx.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Bell\Internet Service Advisor\nprpspa.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Users\Suleman\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKE64;RapportKE64;C:\Windows\system32\Drivers\RapportKE64.sys --> C:\Windows\system32\Drivers\RapportKE64.sys [?]
R1 RapportCerberus_34302;RapportCerberus_34302;C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus64_34302.sys [2011-12-15 397520]
R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2012-5-20 55096]
R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2012-5-20 61752]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 FileOpenManagerSvc;FileOpenManagerSvc;C:\ProgramData\FileOpen\Services\FileOpenManagerSvc64.exe [2011-3-9 331648]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-7-26 2214504]
R2 Radialpoint Security Services;Bell Internet Security Services;C:\Program Files (x86)\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe [2011-4-8 166944]
R2 RadialpointIDSAgent;RadialpointIDSAgent;C:\Program Files (x86)\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [2011-4-8 5832712]
R2 RalinkRegistryWriter;Ralink Registry Writer;C:\Program Files (x86)\TRENDnet\Common\RaRegistry.exe [2012-3-10 374112]
R2 RalinkRegistryWriter64;Ralink Registry Writer 64;C:\Program Files (x86)\TRENDnet\Common\RaRegistry64.exe [2012-3-10 451936]
R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2012-5-20 931672]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-12-11 400368]
R2 ServicepointService;ServicepointService;C:\Program Files (x86)\Bell\Internet Service Advisor\ServicepointService.exe [2011-4-8 689464]
R2 VaultClientSRV;Personal Vault Backup Manager Service;C:\Program Files (x86)\Personal Vault Backup Manager\VaultClientSRV.exe [2010-1-17 1051728]
R2 VaultClientUpgrade;Personal Vault Backup Manager Upgrade Service;C:\Program Files (x86)\Personal Vault Backup Manager\VaultClientUpgrade.exe [2010-1-17 56400]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\system32\DRIVERS\LEqdUsb.Sys --> C:\Windows\system32\DRIVERS\LEqdUsb.Sys [?]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\system32\DRIVERS\LHidEqd.Sys --> C:\Windows\system32\DRIVERS\LHidEqd.Sys [?]
R3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\netr28ux.sys --> C:\Windows\system32\DRIVERS\netr28ux.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 RadialpointIDSDriver;RadialpointIDSDriver;C:\Program Files (x86)\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2011-4-8 132616]
R3 RadialpointIDSFilter;RadialpointIDSFilter;C:\Program Files (x86)\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [2011-4-8 35848]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-19 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-2 257696]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-4-19 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-16 129976]
S3 RaMediaServer;RaMediaServer;C:\Program Files (x86)\TRENDnet\Common\RaMediaServer.exe [2012-3-10 619872]
S3 RTL8192cu;Surf Wireless Micro USB Adapter;C:\Windows\system32\DRIVERS\RTL8192cu.sys --> C:\Windows\system32\DRIVERS\RTL8192cu.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-06-06 12:13:40 -------- d-----w- C:\Users\Suleman\AppData\Roaming\SUPERAntiSpyware.com
2012-06-06 12:13:32 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-06-06 12:13:32 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-06-05 21:24:49 -------- d-----w- C:\Users\Suleman\AppData\Local\LogMeIn Rescue Applet
2012-06-05 20:35:35 -------- d--h--w- C:\smtmp
2012-06-05 18:44:59 250368 ---ha-w- C:\ProgramData\gQ3EwXZzoGJmom.exe
2012-06-05 18:41:23 250368 ---ha-w- C:\ProgramData\prp4UgaHogTUXj.exe
2012-06-05 13:30:07 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4876E08C-E534-4439-96F6-2E019C69A218}\mpengine.dll
2012-05-26 12:09:01 -------- d--h--w- C:\summaries
2012-05-23 18:46:59 -------- d--h--w- C:\Users\Suleman\AppData\Local\Unity
2012-05-23 18:46:58 -------- d--h--w- C:\Users\Suleman\AppData\Local\InContext Solutions
2012-05-23 18:46:21 -------- d--h--w- C:\Users\Suleman\AppData\Local\Deployment
2012-05-23 18:46:21 -------- d--h--w- C:\Users\Suleman\AppData\Local\Apps
2012-05-17 19:23:00 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-17 19:23:00 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-17 19:23:00 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-17 19:23:00 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-17 19:23:00 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-17 19:23:00 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-17 19:23:00 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-05-16 22:54:33 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2012-05-16 22:54:31 588728 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-05-16 22:54:31 43960 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-05-16 22:54:31 157352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-16 22:54:31 129976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-05-10 14:04:01 1544704 ----a-w- C:\Windows\System32\DWrite.dll
2012-05-10 14:04:00 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-10 14:04:00 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-05-10 14:04:00 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-05-10 14:03:59 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-10 14:03:59 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-10 14:03:48 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-05-10 14:03:43 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-10 14:03:43 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-10 14:03:43 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-10 14:03:43 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-10 14:03:42 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-10 14:03:42 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
.
==================== Find3M ====================
.
2012-06-05 21:31:31 71456 ----a-w- C:\Windows\System32\drivers\rp_skt64.sys
2012-06-05 21:31:31 59136 ----a-w- C:\Windows\System32\drivers\rp_pkt64.sys
2012-05-20 16:01:40 63800 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys
2012-05-06 15:59:08 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-06 15:59:08 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-06 15:59:06 8744608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-19 00:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-04-19 00:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
.
============= FINISH: 11:31:13.11 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:38 AM

Posted 11 June 2012 - 07:45 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 ViralVictim

ViralVictim
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 11 June 2012 - 09:16 AM

Hi myrti,
Thanks for your quick response. I have attached both .txt files from the scan you requested. I am using Windows 7 Professional SP1 on a 64-bit system.
b

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:38 AM

Posted 11 June 2012 - 10:29 AM

Hi,

please run unhide.exe and let me know if that hopefully restores you startup menu: unhide.exe. If it doesn't then the backups made might have been deleted.

I see some leftover's of a previous infections but nothing obviously active. Besides the missing start menu is there anything else that is wrong?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 ViralVictim

ViralVictim
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 11 June 2012 - 12:58 PM

Thanks again.

I have my Start Menu items back and the Malware program you suggested detected no viruses.


Here is a copy of the log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.11.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Suleman :: MITCHELLWADE-PC [administrator]

Protection: Enabled

11/06/2012 1:24:23 PM
mbam-log-2012-06-11 (13-24-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227442
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



It looks like there are no other issues to address, other than re-establishing my themes and other appearance tweeks, which I can do myself.

Do you suggest keeping the "SuperAntiVirus" and the "Malwarebytes" programs on my system in addition to the Bell Internet Security Services anti-virus and anti-spyware programs?

Also, I would like to make a donation for your help; what is considered acceptable compensation for your services? I have no experience with this type of requital.

Be Well,

ViralVictim

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:38 AM

Posted 12 June 2012 - 08:34 AM

Hi,

yes you can keep SuperAntiSpyware and Malwarebytes along with your normal Anti virus, they should not hinder each other.
There are 2 files that are left overs from the malware, that you should still remove:
C:\ProgramData\gQ3EwXZzoGJmom.exe
C:\ProgramData\prp4UgaHogTUXj.exe

With regards to donations, this is really up to you. :) There's no minimal amount to give or not give. People give as they feel, it starts with $5 and can go as high as you like. :wink:

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 ViralVictim

ViralVictim
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 12 June 2012 - 02:28 PM

myrti,

I have removed the mentioned files. I assume that the file C:\ProgramData\Pu49YCy4q1dOI7 is okay to remain since it wasn't in your previous post. I only question is because it is the only file in that specific area left that was also created on 05/06/2012.

Regarding the donation, I tried to base it on an experienced hourly rate of $35/hour, hoping you didn't have to put in more than one hour on my stuff. I trust it's a fair estimate. Enjoy your week.

Thanks again,
b

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:38 AM

Posted 13 June 2012 - 05:25 AM

Hi,

that file was not listed in our logs, but I would go ahead and remove it. Since it is not an executable file, it should not pose a threat, but it definitely looks like a malicious file.

Our tools list files based on criterias like "is it executable" in order to get a compromise between a reasonable length of the log and the security to remove anything that poses a threat to your PC. In that approach any file that is not executable is less likely to be listed by our tools and that's how it skipped through the holes, I would think.

I wish I'd get $35/hour at my normal job.. :lol: Can I get hired by you? :wink: Thanks for the donation. :thumbup2:

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:38 AM

Posted 25 July 2012 - 05:19 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users