Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Trojan.Gen


  • Please log in to reply
7 replies to this topic

#1 caseyjmorton

caseyjmorton

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 07 March 2013 - 01:18 PM

Hi BC,

   I know I have some sort of rootkit on my machine, and have tried pretty much everything in my personal arsenal to combat it, but to no avail.  I am a software developer by trade and am reasonably experienced at removing traditional viruses (mostly for friends and family), but admittedly I am mostly self-taught and have limited experience with the real hardcore rootkits as this one appears to be.  I figure its time to call in the big guns.

 

I have Symantec Endpoint Protection on my machine and periodically it will start popping up security risks.  It will go dormant for weeks (and actually most recently about 2 months) at a time, but when it is active, Symantec will pop up security risks on regular intervals (about once every 5 seconds), and my machine grinds to a halt, even though Process Explorer reports minimal CPU utilization.  Here is the message that SEP is reporting:

 

 

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen
File: C:\Users\<XXX>\AppData\Local\Temp\DWHFF73.tmp
Location: C:\Users\<XXX>\AppData\Local\Temp
Computer: L07-5YNHLV1
User: 601292
Action taken: Pending Side Effects Analysis : Access denied
Date found: Thursday, March 07, 2013  12:34:30 PM
 
I have tried running MBAR and Ad-Aware.  They detect the files that SEP has moved into quarrantine, (i.e. the files in C:\Users\<XXX>\AppData\Local\Temp\), and offer to remove them.  When I do, the files go away, and I reboot immediately, but the threat remains.  I am about at wits end on this one, but reimaging the machine is really not an option unless no other exists.
 
As best I can tell, nothing has been corrupted as everything still seems to run fine and I'm not getting any system errors.  My only real issue is performance when the malware is active as well as any potential security risks (i.e. identity theft etc).
 
Can you please help me remove this once and for all?
 
Casey


BC AdBot (Login to Remove)

 


#2 caseyjmorton

caseyjmorton
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 07 March 2013 - 01:23 PM

It occurs to me that I didn't mention that I am running Windows 7 64 bit.



#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:57 AM

Posted 15 March 2013 - 03:07 PM

Hello, lets try it this way.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
  • Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


    Please download Malwarebytes Anti-Malware
mbamicontw5.gif and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions
  • for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues
  • .Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    • After completing the scan, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab .
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes when done.
    Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

    -- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).



    Please Download TDSSkiller
    Launch it.
    Click on change parameters-Select TDLFS file system
    Click on "Scan".
    Please post the LOG report(log file should be in your C drive)

    Do not change the default options on scan results.



    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 caseyjmorton

caseyjmorton
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 15 March 2013 - 03:59 PM

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
 
Database version: v2013.03.15.08
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
601292 :: L07-5YNHLV1 [administrator]
 
3/15/2013 4:27:01 PM
mbam-log-2013-03-15 (16-27-01).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 357246
Time elapsed: 20 minute(s), 33 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
16:57:35.0614 8452  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
16:57:35.0957 8452  ============================================================
16:57:35.0957 8452  Current date / time: 2013/03/15 16:57:35.0957
16:57:35.0957 8452  SystemInfo:
16:57:35.0957 8452  
16:57:35.0957 8452  OS Version: 6.1.7601 ServicePack: 1.0
16:57:35.0957 8452  Product type: Workstation
16:57:35.0957 8452  ComputerName: L07-5YNHLV1
16:57:35.0958 8452  UserName: 601292
16:57:35.0958 8452  Windows directory: C:\Windows
16:57:35.0958 8452  System windows directory: C:\Windows
16:57:35.0958 8452  Running under WOW64
16:57:35.0958 8452  Processor architecture: Intel x64
16:57:35.0958 8452  Number of processors: 4
16:57:35.0958 8452  Page size: 0x1000
16:57:35.0958 8452  Boot type: Normal boot
16:57:35.0958 8452  ============================================================
16:57:37.0022 8452  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
16:57:37.0041 8452  ============================================================
16:57:37.0041 8452  \Device\Harddisk0\DR0:
16:57:37.0041 8452  MBR partitions:
16:57:37.0041 8452  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x32000
16:57:37.0041 8452  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x46000, BlocksNum 0x1D17F170
16:57:37.0041 8452  ============================================================
16:57:37.0052 8452  Initialize success
16:57:37.0052 8452  ============================================================
16:57:42.0133 6856  ============================================================
16:57:42.0133 6856  Scan started
16:57:42.0133 6856  Mode: Manual; TDLFS; 
16:57:42.0133 6856  ============================================================
16:57:42.0159 6856  ================ Scan system memory ========================
16:57:42.0159 6856  System memory - ok
16:57:42.0160 6856  ================ Scan services =============================
16:57:42.0196 6856  1394ohci - ok
16:57:42.0218 6856  Acceler - ok
16:57:42.0227 6856  ACDaemon - ok
16:57:42.0234 6856  ACPI - ok
16:57:42.0238 6856  AcpiPmi - ok
16:57:42.0249 6856  Ad-Aware Service - ok
16:57:42.0254 6856  AdobeARMservice - ok
16:57:42.0274 6856  AdobeFlashPlayerUpdateSvc - ok
16:57:42.0283 6856  adp94xx - ok
16:57:42.0287 6856  adpahci - ok
16:57:42.0290 6856  adpu320 - ok
16:57:42.0295 6856  AeLookupSvc - ok
16:57:42.0298 6856  AESTFilters - ok
16:57:42.0306 6856  AeXAgentSrvHost - ok
16:57:42.0314 6856  AeXNSClient - ok
16:57:42.0318 6856  Afc - ok
16:57:42.0332 6856  AFD - ok
16:57:42.0335 6856  agp440 - ok
16:57:42.0339 6856  ALG - ok
16:57:42.0342 6856  aliide - ok
16:57:42.0357 6856  AltirisAgentProvider - ok
16:57:42.0360 6856  amdide - ok
16:57:42.0363 6856  AmdK8 - ok
16:57:42.0366 6856  AmdPPM - ok
16:57:42.0374 6856  amdsata - ok
16:57:42.0383 6856  amdsbs - ok
16:57:42.0387 6856  amdxata - ok
16:57:42.0403 6856  ApfiltrService - ok
16:57:42.0410 6856  AppHostSvc - ok
16:57:42.0415 6856  AppID - ok
16:57:42.0417 6856  AppIDSvc - ok
16:57:42.0421 6856  Appinfo - ok
16:57:42.0430 6856  Apple Mobile Device - ok
16:57:42.0447 6856  AppMgmt - ok
16:57:42.0450 6856  arc - ok
16:57:42.0454 6856  arcsas - ok
16:57:42.0477 6856  Artifactory - ok
16:57:42.0497 6856  aspnet_state - ok
16:57:42.0503 6856  AsyncMac - ok
16:57:42.0508 6856  atapi - ok
16:57:42.0510 6856  AudioEndpointBuilder - ok
16:57:42.0513 6856  AudioSrv - ok
16:57:42.0520 6856  automap - ok
16:57:42.0551 6856  awecho - ok
16:57:42.0559 6856  awhost32 - ok
16:57:42.0562 6856  AW_HOST - ok
16:57:42.0640 6856  AxInstSV - ok
16:57:42.0649 6856  b06bdrv - ok
16:57:42.0672 6856  b57nd60a - ok
16:57:42.0697 6856  BDESVC - ok
16:57:42.0713 6856  Beep - ok
16:57:42.0731 6856  BFE - ok
16:57:42.0738 6856  BITS - ok
16:57:42.0750 6856  blbdrive - ok
16:57:42.0756 6856  Bonjour Service - ok
16:57:42.0762 6856  bowser - ok
16:57:42.0779 6856  bpenum - ok
16:57:42.0784 6856  bpmp - ok
16:57:42.0792 6856  bpusb - ok
16:57:42.0798 6856  BrFiltLo - ok
16:57:42.0806 6856  BrFiltUp - ok
16:57:42.0811 6856  Browser - ok
16:57:42.0817 6856  Brserid - ok
16:57:42.0823 6856  BrSerWdm - ok
16:57:42.0832 6856  BrUsbMdm - ok
16:57:42.0838 6856  BrUsbSer - ok
16:57:42.0841 6856  BTHMODEM - ok
16:57:42.0847 6856  bthserv - ok
16:57:42.0854 6856  Bulk - ok
16:57:42.0858 6856  ccEvtMgr - ok
16:57:42.0862 6856  ccSetMgr - ok
16:57:42.0865 6856  cdfs - ok
16:57:42.0869 6856  cdrom - ok
16:57:42.0873 6856  CertPropSvc - ok
16:57:42.0877 6856  circlass - ok
16:57:42.0880 6856  CLFS - ok
16:57:42.0884 6856  clr_optimization_v2.0.50727_32 - ok
16:57:42.0887 6856  clr_optimization_v2.0.50727_64 - ok
16:57:42.0891 6856  clr_optimization_v4.0.30319_32 - ok
16:57:42.0895 6856  clr_optimization_v4.0.30319_64 - ok
16:57:42.0899 6856  CmBatt - ok
16:57:42.0901 6856  cmdide - ok
16:57:42.0905 6856  CNG - ok
16:57:42.0940 6856  CodeMeter.exe - ok
16:57:42.0954 6856  Compbatt - ok
16:57:42.0969 6856  CompositeBus - ok
16:57:42.0973 6856  COMSysApp - ok
16:57:42.0976 6856  ConfigService - ok
16:57:42.0980 6856  crcdisk - ok
16:57:42.0984 6856  CryptSvc - ok
16:57:42.0988 6856  CSC - ok
16:57:42.0991 6856  CscService - ok
16:57:43.0013 6856  ctxusbm - ok
16:57:43.0024 6856  CVirtA - ok
16:57:43.0033 6856  CVPND - ok
16:57:43.0049 6856  CVPNDRVA - ok
16:57:43.0053 6856  cvusbdrv - ok
16:57:43.0058 6856  DcomLaunch - ok
16:57:43.0061 6856  defragsvc - ok
16:57:43.0064 6856  DfsC - ok
16:57:43.0068 6856  Dhcp - ok
16:57:43.0072 6856  discache - ok
16:57:43.0075 6856  Disk - ok
16:57:43.0079 6856  DisplayFusionService - ok
16:57:43.0089 6856  DMService - ok
16:57:43.0093 6856  dmvsc - ok
16:57:43.0104 6856  DNE - ok
16:57:43.0110 6856  Dnscache - ok
16:57:43.0113 6856  dot3svc - ok
16:57:43.0117 6856  DPS - ok
16:57:43.0129 6856  drmkaud - ok
16:57:43.0139 6856  dtpd - ok
16:57:43.0142 6856  DXGKrnl - ok
16:57:43.0146 6856  e1cexpress - ok
16:57:43.0149 6856  EapHost - ok
16:57:43.0153 6856  ebdrv - ok
16:57:43.0156 6856  eeCtrl - ok
16:57:43.0159 6856  EFS - ok
16:57:43.0162 6856  ehRecvr - ok
16:57:43.0165 6856  ehSched - ok
16:57:43.0168 6856  elxstor - ok
16:57:43.0171 6856  EraserUtilRebootDrv - ok
16:57:43.0175 6856  ErrDev - ok
16:57:43.0187 6856  EventSystem - ok
16:57:43.0190 6856  exfat - ok
16:57:43.0193 6856  fastfat - ok
16:57:43.0196 6856  Fax - ok
16:57:43.0199 6856  fdc - ok
16:57:43.0204 6856  fdPHost - ok
16:57:43.0208 6856  FDResPub - ok
16:57:43.0211 6856  FileInfo - ok
16:57:43.0215 6856  Filetrace - ok
16:57:43.0219 6856  flpydisk - ok
16:57:43.0223 6856  FltMgr - ok
16:57:43.0227 6856  FontCache - ok
16:57:43.0230 6856  FontCache3.0.0.0 - ok
16:57:43.0250 6856  FsDepends - ok
16:57:43.0253 6856  Fs_Rec - ok
16:57:43.0256 6856  fvevol - ok
16:57:43.0259 6856  gagp30kx - ok
16:57:43.0263 6856  GEARAspiWDM - ok
16:57:43.0276 6856  gfibto - ok
16:57:43.0279 6856  gpsvc - ok
16:57:43.0282 6856  hcmon - ok
16:57:43.0286 6856  hcw85cir - ok
16:57:43.0289 6856  HdAudAddService - ok
16:57:43.0292 6856  HDAudBus - ok
16:57:43.0298 6856  HDJAsioK - ok
16:57:43.0302 6856  HDJMidi - ok
16:57:43.0329 6856  HerculesDJControlMP3 - ok
16:57:43.0332 6856  HidBatt - ok
16:57:43.0336 6856  HidBth - ok
16:57:43.0339 6856  HidIr - ok
16:57:43.0342 6856  hidserv - ok
16:57:43.0352 6856  HidUsb - ok
16:57:43.0356 6856  hkmsvc - ok
16:57:43.0359 6856  HomeGroupListener - ok
16:57:43.0362 6856  HomeGroupProvider - ok
16:57:43.0374 6856  hpqcxs08 - ok
16:57:43.0391 6856  hpqddsvc - ok
16:57:43.0394 6856  HpSAMD - ok
16:57:43.0397 6856  HPSLPSVC - ok
16:57:43.0401 6856  HTTP - ok
16:57:43.0405 6856  hwpolicy - ok
16:57:43.0409 6856  i8042prt - ok
16:57:43.0413 6856  iaStorV - ok
16:57:43.0425 6856  IBMWAS80Service - L07-FPYLFS1Node01 - ok
16:57:43.0429 6856  IDriverT - ok
16:57:43.0433 6856  idsvc - ok
16:57:43.0437 6856  igfx - ok
16:57:43.0440 6856  iirsp - ok
16:57:43.0447 6856  iked - ok
16:57:43.0450 6856  IKEEXT - ok
16:57:43.0457 6856  IntcDAud - ok
16:57:43.0460 6856  intelide - ok
16:57:43.0470 6856  intelppm - ok
16:57:43.0473 6856  IPBusEnum - ok
16:57:43.0476 6856  IpFilterDriver - ok
16:57:43.0479 6856  iphlpsvc - ok
16:57:43.0482 6856  ipMIDI - ok
16:57:43.0487 6856  IPMIDRV - ok
16:57:43.0491 6856  IPNAT - ok
16:57:43.0512 6856  iPod Service - ok
16:57:43.0522 6856  ipsecd - ok
16:57:43.0531 6856  IRENUM - ok
16:57:43.0537 6856  isapnp - ok
16:57:43.0541 6856  iScsiPrt - ok
16:57:43.0605 6856  kbdclass - ok
16:57:43.0616 6856  kbdhid - ok
16:57:43.0625 6856  KeyIso - ok
16:57:43.0633 6856  KSecDD - ok
16:57:43.0644 6856  KSecPkg - ok
16:57:43.0650 6856  ksthunk - ok
16:57:43.0655 6856  KtmRm - ok
16:57:43.0666 6856  LanmanServer - ok
16:57:43.0671 6856  LanmanWorkstation - ok
16:57:43.0681 6856  LBTServ - ok
16:57:43.0689 6856  LEqdUsb - ok
16:57:43.0693 6856  LHidEqd - ok
16:57:43.0697 6856  LHidFilt - ok
16:57:43.0701 6856  LiveUpdate - ok
16:57:43.0706 6856  lltdio - ok
16:57:43.0710 6856  lltdsvc - ok
16:57:43.0714 6856  lmhosts - ok
16:57:43.0717 6856  LMouFilt - ok
16:57:43.0721 6856  LMS - ok
16:57:43.0724 6856  LoopBeMidi1 - ok
16:57:43.0731 6856  LSI_FC - ok
16:57:43.0735 6856  LSI_SAS - ok
16:57:43.0738 6856  LSI_SAS2 - ok
16:57:43.0742 6856  LSI_SCSI - ok
16:57:43.0745 6856  luafv - ok
16:57:43.0748 6856  LUsbFilt - ok
16:57:43.0751 6856  Mcx2Svc - ok
16:57:43.0755 6856  megasas - ok
16:57:43.0758 6856  MegaSR - ok
16:57:43.0761 6856  MEIx64 - ok
16:57:43.0771 6856  Microsoft SharePoint Workspace Audit Service - ok
16:57:43.0774 6856  MMCSS - ok
16:57:43.0777 6856  Modem - ok
16:57:43.0782 6856  monitor - ok
16:57:43.0785 6856  mouclass - ok
16:57:43.0789 6856  mouhid - ok
16:57:43.0794 6856  mountmgr - ok
16:57:43.0813 6856  MouseWithoutBordersSvc - ok
16:57:43.0824 6856  MozillaMaintenance - ok
16:57:43.0828 6856  mpio - ok
16:57:43.0831 6856  mpsdrv - ok
16:57:43.0834 6856  MpsSvc - ok
16:57:43.0837 6856  MQAC - ok
16:57:43.0841 6856  MRxDAV - ok
16:57:43.0843 6856  mrxsmb - ok
16:57:43.0846 6856  mrxsmb10 - ok
16:57:43.0850 6856  mrxsmb20 - ok
16:57:43.0853 6856  msahci - ok
16:57:43.0857 6856  MsDepSvc - ok
16:57:43.0860 6856  msdsm - ok
16:57:43.0863 6856  MSDTC - ok
16:57:43.0870 6856  Msfs - ok
16:57:43.0873 6856  mshidkmdf - ok
16:57:43.0876 6856  msisadrv - ok
16:57:43.0887 6856  MSiSCSI - ok
16:57:43.0891 6856  msiserver - ok
16:57:43.0894 6856  MSKSSRV - ok
16:57:43.0897 6856  MSMQ - ok
16:57:43.0900 6856  MSPCLOCK - ok
16:57:43.0904 6856  MSPQM - ok
16:57:43.0908 6856  MsRPC - ok
16:57:43.0912 6856  mssmbios - ok
16:57:43.0916 6856  MSSQL$SQLEXPRESS - ok
16:57:43.0919 6856  MSSQLServerADHelper100 - ok
16:57:43.0923 6856  MSTEE - ok
16:57:43.0926 6856  MTConfig - ok
16:57:43.0929 6856  Mup - ok
16:57:43.0932 6856  napagent - ok
16:57:43.0956 6856  NativeWifiP - ok
16:57:43.0967 6856  NAVENG - ok
16:57:43.0970 6856  NAVEX15 - ok
16:57:43.0983 6856  NDIS - ok
16:57:43.0986 6856  NdisCap - ok
16:57:43.0989 6856  NdisTapi - ok
16:57:43.0992 6856  Ndisuio - ok
16:57:43.0995 6856  NdisWan - ok
16:57:43.0998 6856  NDProxy - ok
16:57:44.0005 6856  Net Driver HPZ12 - ok
16:57:44.0008 6856  NetBIOS - ok
16:57:44.0010 6856  NetBT - ok
16:57:44.0014 6856  Netlogon - ok
16:57:44.0022 6856  Netman - ok
16:57:44.0025 6856  NetMsmqActivator - ok
16:57:44.0028 6856  NetPipeActivator - ok
16:57:44.0031 6856  netprofm - ok
16:57:44.0038 6856  NetTcpActivator - ok
16:57:44.0041 6856  NetTcpPortSharing - ok
16:57:44.0044 6856  NETwNs64 - ok
16:57:44.0048 6856  nfrd960 - ok
16:57:44.0051 6856  NIHardwareService - ok
16:57:44.0055 6856  NlaSvc - ok
16:57:44.0058 6856  NPF - ok
16:57:44.0061 6856  Npfs - ok
16:57:44.0064 6856  nsi - ok
16:57:44.0067 6856  nsiproxy - ok
16:57:44.0072 6856  Ntfs - ok
16:57:44.0075 6856  Null - ok
16:57:44.0078 6856  nusb3hub - ok
16:57:44.0081 6856  nusb3xhc - ok
16:57:44.0084 6856  NvnUsbAudio - ok
16:57:44.0090 6856  nvraid - ok
16:57:44.0093 6856  nvstor - ok
16:57:44.0096 6856  nv_agp - ok
16:57:44.0107 6856  O2FLASH - ok
16:57:44.0110 6856  O2MDFRDR - ok
16:57:44.0113 6856  O2MDRRDR - ok
16:57:44.0116 6856  O2SDIOAssist - ok
16:57:44.0126 6856  O2SDJRDR - ok
16:57:44.0129 6856  ohci1394 - ok
16:57:44.0144 6856  ose - ok
16:57:44.0147 6856  osppsvc - ok
16:57:44.0152 6856  p2pimsvc - ok
16:57:44.0156 6856  p2psvc - ok
16:57:44.0159 6856  Parport - ok
16:57:44.0162 6856  partmgr - ok
16:57:44.0165 6856  PcaSvc - ok
16:57:44.0172 6856  pci - ok
16:57:44.0178 6856  pciide - ok
16:57:44.0181 6856  pcmcia - ok
16:57:44.0184 6856  pcw - ok
16:57:44.0188 6856  PEAUTH - ok
16:57:44.0192 6856  PeerDistSvc - ok
16:57:44.0197 6856  PerfHost - ok
16:57:44.0207 6856  pla - ok
16:57:44.0212 6856  PlugPlay - ok
16:57:44.0218 6856  Pml Driver HPZ12 - ok
16:57:44.0223 6856  PNRPAutoReg - ok
16:57:44.0228 6856  PNRPsvc - ok
16:57:44.0234 6856  PolicyAgent - ok
16:57:44.0242 6856  Power - ok
16:57:44.0245 6856  PptpMiniport - ok
16:57:44.0248 6856  Processor - ok
16:57:44.0268 6856  ProfSvc - ok
16:57:44.0272 6856  ProtectedStorage - ok
16:57:44.0276 6856  Psched - ok
16:57:44.0279 6856  PVIS9 - ok
16:57:44.0289 6856  PVIS9_64 - ok
16:57:44.0311 6856  PxHlpa64 - ok
16:57:44.0314 6856  ql2300 - ok
16:57:44.0317 6856  ql40xx - ok
16:57:44.0320 6856  QWAVE - ok
16:57:44.0323 6856  QWAVEdrv - ok
16:57:44.0326 6856  RasAcd - ok
16:57:44.0330 6856  RasAgileVpn - ok
16:57:44.0333 6856  RasAuto - ok
16:57:44.0336 6856  Rasl2tp - ok
16:57:44.0340 6856  RasMan - ok
16:57:44.0348 6856  RasPppoe - ok
16:57:44.0351 6856  RasSstp - ok
16:57:44.0355 6856  rdbss - ok
16:57:44.0359 6856  rdpbus - ok
16:57:44.0362 6856  RDPCDD - ok
16:57:44.0366 6856  RDPDR - ok
16:57:44.0408 6856  RDPENCDD - ok
16:57:44.0421 6856  RDPREFMP - ok
16:57:44.0431 6856  RDPWD - ok
16:57:44.0441 6856  rdyboost - ok
16:57:44.0450 6856  RemoteAccess - ok
16:57:44.0459 6856  RemoteRegistry - ok
16:57:44.0464 6856  rpcapd - ok
16:57:44.0542 6856  RpcEptMapper - ok
16:57:44.0545 6856  RpcLocator - ok
16:57:44.0548 6856  RpcSs - ok
16:57:44.0551 6856  RsFx0105 - ok
16:57:44.0610 6856  rspndr - ok
16:57:44.0640 6856  RsvLock - ok
16:57:44.0646 6856  s3cap - ok
16:57:44.0657 6856  SafeBoot - ok
16:57:44.0665 6856  SafeBootClientManager - ok
16:57:44.0672 6856  SamSs - ok
16:57:44.0676 6856  SBAlg - ok
16:57:44.0689 6856  SBAMSvc - ok
16:57:44.0694 6856  SbFlop - ok
16:57:44.0699 6856  SbFsLock - ok
16:57:44.0720 6856  SbieDrv - ok
16:57:44.0749 6856  SbieSvc - ok
16:57:44.0757 6856  sbp2port - ok
16:57:44.0761 6856  SbRegFlt - ok
16:57:44.0764 6856  SCardSvr - ok
16:57:44.0768 6856  scfilter - ok
16:57:44.0771 6856  Schedule - ok
16:57:44.0774 6856  SCPolicySvc - ok
16:57:44.0777 6856  sdbus - ok
16:57:44.0781 6856  SDRSVC - ok
16:57:44.0798 6856  SDScannerService - ok
16:57:44.0809 6856  SDUpdateService - ok
16:57:44.0812 6856  SDWSCService - ok
16:57:44.0822 6856  secdrv - ok
16:57:44.0825 6856  seclogon - ok
16:57:44.0829 6856  SENS - ok
16:57:44.0831 6856  SensrSvc - ok
16:57:44.0835 6856  Serenum - ok
16:57:44.0839 6856  Serial - ok
16:57:44.0842 6856  sermouse - ok
16:57:44.0851 6856  SessionEnv - ok
16:57:44.0855 6856  sffdisk - ok
16:57:44.0858 6856  sffp_mmc - ok
16:57:44.0861 6856  sffp_sd - ok
16:57:44.0864 6856  sfloppy - ok
16:57:44.0867 6856  SharedAccess - ok
16:57:44.0871 6856  ShellHWDetection - ok
16:57:44.0875 6856  SiSRaid2 - ok
16:57:44.0878 6856  SiSRaid4 - ok
16:57:44.0884 6856  Smb - ok
16:57:44.0888 6856  SmcService - ok
16:57:44.0895 6856  SNAC - ok
16:57:44.0912 6856  SNMPTRAP - ok
16:57:44.0920 6856  SophosVirusRemovalTool - ok
16:57:44.0923 6856  spldr - ok
16:57:44.0927 6856  Spooler - ok
16:57:44.0930 6856  sppsvc - ok
16:57:44.0933 6856  sppuinotify - ok
16:57:44.0962 6856  SQLAgent$SQLEXPRESS - ok
16:57:44.0965 6856  SQLBrowser - ok
16:57:44.0970 6856  SQLWriter - ok
16:57:44.0986 6856  SRTSP - ok
16:57:45.0002 6856  SRTSPL - ok
16:57:45.0027 6856  SRTSPX - ok
16:57:45.0030 6856  srv - ok
16:57:45.0033 6856  srv2 - ok
16:57:45.0036 6856  srvnet - ok
16:57:45.0047 6856  SSDPSRV - ok
16:57:45.0050 6856  SstpSvc - ok
16:57:45.0053 6856  STacSV - ok
16:57:45.0062 6856  stdcfltn - ok
16:57:45.0076 6856  stexstor - ok
16:57:45.0079 6856  STHDA - ok
16:57:45.0082 6856  StillCam - ok
16:57:45.0085 6856  stisvc - ok
16:57:45.0088 6856  storflt - ok
16:57:45.0091 6856  StorSvc - ok
16:57:45.0095 6856  storvsc - ok
16:57:45.0098 6856  swenum - ok
16:57:45.0101 6856  SwitchBoard - ok
16:57:45.0105 6856  swprv - ok
16:57:45.0108 6856  Symantec AntiVirus - ok
16:57:45.0112 6856  SymEvent - ok
16:57:45.0115 6856  SysMain - ok
16:57:45.0118 6856  TabletInputService - ok
16:57:45.0122 6856  TapiSrv - ok
16:57:45.0125 6856  TBS - ok
16:57:45.0128 6856  Tcpip - ok
16:57:45.0131 6856  TCPIP6 - ok
16:57:45.0136 6856  tcpipreg - ok
16:57:45.0140 6856  TDPIPE - ok
16:57:45.0144 6856  TDTCP - ok
16:57:45.0147 6856  tdx - ok
16:57:45.0150 6856  TermDD - ok
16:57:45.0154 6856  TermService - ok
16:57:45.0165 6856  teVirtualMIDI64 - ok
16:57:45.0169 6856  Themes - ok
16:57:45.0172 6856  THREADORDER - ok
16:57:45.0189 6856  Tpkd - ok
16:57:45.0192 6856  TrkWks - ok
16:57:45.0196 6856  TrustedInstaller - ok
16:57:45.0200 6856  tssecsrv - ok
16:57:45.0204 6856  TsUsbFlt - ok
16:57:45.0207 6856  TsUsbGD - ok
16:57:45.0222 6856  tunnel - ok
16:57:45.0225 6856  uagp35 - ok
16:57:45.0228 6856  uagqecsvc - ok
16:57:45.0231 6856  udfs - ok
16:57:45.0235 6856  UI0Detect - ok
16:57:45.0244 6856  uliagpkx - ok
16:57:45.0247 6856  umbus - ok
16:57:45.0250 6856  UmPass - ok
16:57:45.0255 6856  UmRdpService - ok
16:57:45.0258 6856  UNS - ok
16:57:45.0261 6856  upnphost - ok
16:57:45.0272 6856  USBAAPL64 - ok
16:57:45.0277 6856  usbaudio - ok
16:57:45.0280 6856  usbccgp - ok
16:57:45.0300 6856  usbcir - ok
16:57:45.0303 6856  usbehci - ok
16:57:45.0306 6856  usbhub - ok
16:57:45.0309 6856  usbohci - ok
16:57:45.0312 6856  usbprint - ok
16:57:45.0315 6856  USBSTOR - ok
16:57:45.0319 6856  usbuhci - ok
16:57:45.0322 6856  usbvideo - ok
16:57:45.0325 6856  UxSms - ok
16:57:45.0328 6856  VaultSvc - ok
16:57:45.0332 6856  vdrvroot - ok
16:57:45.0335 6856  vds - ok
16:57:45.0351 6856  vflt - ok
16:57:45.0355 6856  vga - ok
16:57:45.0357 6856  VgaSave - ok
16:57:45.0361 6856  vhdmp - ok
16:57:45.0364 6856  viaide - ok
16:57:45.0367 6856  VMAuthdService - ok
16:57:45.0370 6856  vmbus - ok
16:57:45.0374 6856  VMBusHID - ok
16:57:45.0378 6856  vmci - ok
16:57:45.0383 6856  vmkbd - ok
16:57:45.0387 6856  VMnetAdapter - ok
16:57:45.0390 6856  VMnetBridge - ok
16:57:45.0393 6856  VMnetDHCP - ok
16:57:45.0397 6856  VMnetuserif - ok
16:57:45.0401 6856  VMparport - ok
16:57:45.0405 6856  vmusb - ok
16:57:45.0408 6856  VMUSBArbService - ok
16:57:45.0413 6856  VMware NAT Service - ok
16:57:45.0417 6856  vmx86 - ok
16:57:45.0421 6856  vnet - ok
16:57:45.0424 6856  volmgr - ok
16:57:45.0427 6856  volmgrx - ok
16:57:45.0430 6856  volsnap - ok
16:57:45.0442 6856  vpnva - ok
16:57:45.0445 6856  vsmraid - ok
16:57:45.0448 6856  VSPerfDrv100 - ok
16:57:45.0451 6856  VSS - ok
16:57:45.0455 6856  vwifibus - ok
16:57:45.0458 6856  vwififlt - ok
16:57:45.0465 6856  vwifimp - ok
16:57:45.0468 6856  W32Time - ok
16:57:45.0472 6856  W3SVC - ok
16:57:45.0475 6856  WacomPen - ok
16:57:45.0483 6856  WANARP - ok
16:57:45.0487 6856  Wanarpv6 - ok
16:57:45.0491 6856  WAS - ok
16:57:45.0495 6856  WatAdminSvc - ok
16:57:45.0499 6856  wbengine - ok
16:57:45.0502 6856  WbioSrvc - ok
16:57:45.0507 6856  wcncsvc - ok
16:57:45.0511 6856  WcsPlugInService - ok
16:57:45.0514 6856  Wd - ok
16:57:45.0517 6856  Wdf01000 - ok
16:57:45.0521 6856  WdiServiceHost - ok
16:57:45.0524 6856  WdiSystemHost - ok
16:57:45.0527 6856  WebClient - ok
16:57:45.0530 6856  Wecsvc - ok
16:57:45.0533 6856  wercplsupport - ok
16:57:45.0588 6856  WerSvc - ok
16:57:45.0592 6856  WfpLwf - ok
16:57:45.0595 6856  WIMMount - ok
16:57:45.0598 6856  WinDefend - ok
16:57:45.0605 6856  WinHttpAutoProxySvc - ok
16:57:45.0608 6856  Winmgmt - ok
16:57:45.0611 6856  WinRM - ok
16:57:45.0617 6856  WinUsb - ok
16:57:45.0621 6856  Wlansvc - ok
16:57:45.0624 6856  wlidsvc - ok
16:57:45.0628 6856  WmiAcpi - ok
16:57:45.0633 6856  wmiApSrv - ok
16:57:45.0636 6856  WMPNetworkSvc - ok
16:57:45.0639 6856  WPCSvc - ok
16:57:45.0642 6856  WPDBusEnum - ok
16:57:45.0646 6856  ws2ifsl - ok
16:57:45.0649 6856  wscsvc - ok
16:57:45.0652 6856  WSearch - ok
16:57:45.0657 6856  wuauserv - ok
16:57:45.0660 6856  WudfPf - ok
16:57:45.0664 6856  WUDFRd - ok
16:57:45.0667 6856  wudfsvc - ok
16:57:45.0670 6856  WwanSvc - ok
16:57:45.0693 6856  ================ Scan global ===============================
16:57:45.0702 6856  [Global] - ok
16:57:45.0703 6856  ================ Scan MBR ==================================
16:57:45.0709 6856  [ 5C73746B987022A51FD1D12550C35637 ] \Device\Harddisk0\DR0
16:57:46.0523 6856  \Device\Harddisk0\DR0 - ok
16:57:46.0525 6856  ================ Scan VBR ==================================
16:57:46.0525 6856  [ F67FF8E229FE901B35208CBB11286AC1 ] \Device\Harddisk0\DR0\Partition1
16:57:46.0527 6856  \Device\Harddisk0\DR0\Partition1 - ok
16:57:46.0555 6856  [ 4BAFAF1D3E4B4B1B52448F66BF3BB4D4 ] \Device\Harddisk0\DR0\Partition2
16:57:46.0555 6856  \Device\Harddisk0\DR0\Partition2 - ok
16:57:46.0556 6856  ============================================================
16:57:46.0556 6856  Scan finished
16:57:46.0556 6856  ============================================================
16:57:46.0563 8536  Detected object count: 0
16:57:46.0564 8536  Actual detected object count: 0
 
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-03-15 16:51:59
-----------------------------
16:51:59.603    OS Version: Windows x64 6.1.7601 Service Pack 1
16:51:59.603    Number of processors: 4 586 0x2A07
16:51:59.603    ComputerName: L07-5YNHLV1  UserName: 601292
16:52:01.068    Initialize success
16:52:43.016    AVAST engine defs: 13031500
16:53:00.564    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:53:00.566    Disk 0 Vendor: WDC_WD2500BEKT-75PVMT1 01.01A01 Size: 238475MB BusType: 11
16:53:00.647    Disk 0 MBR read successfully
16:53:00.653    Disk 0 MBR scan
16:53:00.667    Disk 0 unknown MBR code
16:53:00.674    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
16:53:00.688    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 81920
16:53:00.700    Disk 0 Partition 3 00     07    HPFS/NTFS            238334 MB offset 286720
16:53:00.717    Disk 0 scanning C:\Windows\system32\drivers
16:53:00.723    Service scanning
16:53:51.113    Modules scanning
16:53:51.119    Disk 0 trace - called modules:
16:53:51.122    
16:53:52.405    AVAST engine scan C:\Windows
16:53:52.443    AVAST engine scan C:\Windows\system32
16:53:52.459    AVAST engine scan C:\Windows\system32\drivers
16:53:52.474    AVAST engine scan C:\Users\601292
16:53:52.493    AVAST engine scan C:\ProgramData
16:53:52.501    Scan finished successfully
16:54:58.872    Disk 0 MBR has been saved successfully to "C:\Users\601292\Desktop\MBR.dat"
16:54:58.876    The log file has been saved successfully to "C:\Users\601292\Desktop\aswMBR.txt"
 
 


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:57 AM

Posted 15 March 2013 - 04:15 PM

Now I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.

 

 

 

Now check to see if Symantec finds it.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 caseyjmorton

caseyjmorton
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 19 March 2013 - 02:26 PM

ESET completed and didnt find anything.  Afterwards I ran Symantec and did a full scan.  It didn't come up with anything either, so that seems encouraging, although it wasnt the system scan that was detecting it, it was the realtime scan.  The realtime scan hasnt flagged any risks since immediately after i ran the temp file killer, which seems encouraging, but I'm a little baffled because killing the temp files seems to be the only thing that actually made changes to the system.  Wither way, its either gone or dormant again, so I can continue on with my life for the moment.  I will update if it comes back.  Thanks for your help!

 

Casey



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:57 AM

Posted 19 March 2013 - 08:30 PM

that's because the install file was dumped into the Temp folder and there it wasn't cleaned. That's why I asked you to use TFC. I always do after malware scans and my monthly PC cleanup.. I'd say you are good Casey.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 caseyjmorton

caseyjmorton
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 20 March 2013 - 10:33 AM

Unfortunately, it just cropped back up this morning.  Here is the information in the window from Symantec:

 

 

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen
File: C:\Users\601292\AppData\Local\Temp\DWH7326.tmp
Location: C:\Users\601292\AppData\Local\Temp
Computer: L07-5YNHLV1
User: 601292
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, March 20, 2013  11:32:36 AM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users