Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Shield Appears on Task Bar when Launching Citrix


  • This topic is locked This topic is locked
4 replies to this topic

#1 mudbone62

mudbone62

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 28 September 2013 - 11:19 AM

....also, a writing pen shows up as well; the one from one of those Windows apps I always disable when I reinstall my system, text services or some such.

 

And then they replicate their icons multiple times.

 

I don't have Symantec installed.  When you click the icon the panel that opens looks very realistic, and even has sub-panels and although there are no obvious clues it is a virus, like skull & crossbones, you know it is a sham.

 

I do not believe it came through Citrix but probably when I downloaded 'Free Video Rotation' software.  I got it off Cnet, but it loaded multiple crap apps and it all went downhill from there.

 

I have re-imaged my C drive but it reappears.  It must have jumped my network as well because it got on both of my PC's. 

 

Also, I do use multiple partitions.  This is the first time re-imaging C has not cleaned a virus out for me.  I have run multiple spyware/malware tools from safe mode.

 

I am leaving one PC off, and the network unplugged while I work on this one. I am not attaching the attach.txt as a zip until told to do so, per the instructions.

 

Thanks, Jim

-------------------------------------------------------------------------------------------------------------------------

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16686
Run by Jim at 9:51:39 on 2013-09-28
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.12279.10015 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\MSC\McAPExe.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
G:\Apps\Acronis\TrueImageHome\TrueImageMonitor.exe
G:\Apps\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\prevhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [RemoteControl9] "c:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] c:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [TrueImageMonitor.exe] G:\Apps\Acronis\TrueImageHome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] G:\Apps\Acronis\TrueImageHome\TimounterMonitor.exe
mRun: [mcpltui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [CitrixReceiver] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [Redirector] "C:\Program Files (x86)\Citrix\ICA Client\redirector.exe" /startup
dRunOnce: [CTAutoUpdate] "C:\Program Files (x86)\Creative\Shared Files\Software Update\AutoUpdate.exe" /RunFromInstaller
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll



TCP: NameServer = 192.168.1.1
TCP: Interfaces\{3CEA3A3B-598E-4A93-B748-37368F388BAC} : DHCPNameServer = 192.168.1.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"



x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2013-8-7 776168]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2013-8-7 343568]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-6-17 55856]
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);C:\Windows\System32\drivers\tdrpm251.sys [2011-6-22 1455648]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2013-8-19 95152]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-5-23 143120]
R2 HomeNetSvc;McAfee Home Network;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-9-25 328928]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-9-28 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-9-28 701512]
R2 McAPExe;McAfee AP Service;C:\Program Files\McAfee\MSC\McAPExe.exe [2013-9-25 178048]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-9-25 328928]
R2 mcpltsvc;McAfee Platform Services;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-9-25 328928]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2013-9-25 328928]
R2 mfecore;McAfee Anti-Malware Core;C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [2013-9-25 1017016]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2013-9-25 219272]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2013-9-25 182752]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2010-7-7 230488]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2010-7-7 1445976]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2010-7-7 95320]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\System32\drivers\ha20x22k.sys [2010-7-7 1612888]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-9-28 25928]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2013-8-7 310224]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2013-8-7 519064]
R3 mfencbdc;McAfee Inc. mfencbdc;C:\Windows\System32\drivers\mfencbdc.sys [2013-7-9 377040]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-6-17 242720]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-17 295424]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/06/17 13:30:33;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-4-26 232944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S3 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-6-17 203776]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-6-17 116240]
S3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2013-8-7 70112]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-6-21 79360]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2010-7-7 230488]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2010-7-7 1445976]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2010-7-7 95320]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 mfencrk;McAfee Inc. mfencrk;C:\Windows\System32\drivers\mfencrk.sys [2013-7-9 95984]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-21 1255736]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-6-17 13336]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-09-28 14:43:04 -------- d-----w- C:\Users\Jim\AppData\Roaming\Malwarebytes
2013-09-28 14:42:58 -------- d-----w- C:\ProgramData\Malwarebytes
2013-09-28 14:42:57 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-09-28 14:42:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-28 14:42:35 -------- d-----w- C:\Users\Jim\AppData\Local\Programs
2013-09-28 02:19:50 -------- d-----w- C:\ProgramData\Citrix
2013-09-28 02:19:13 -------- d-----w- C:\Program Files (x86)\Common Files\Citrix
2013-09-28 00:24:52 -------- d-----w- C:\Windows\System32\MRT
2013-09-25 22:40:59 -------- d-----w- C:\Program Files (x86)\McAfee.com
2013-09-25 22:40:34 -------- d-----w- C:\Program Files\McAfee.com
2013-09-25 22:40:34 -------- d-----w- C:\Program Files\McAfee
2013-09-25 22:40:11 -------- d-----w- C:\Program Files (x86)\McAfee
2013-09-25 22:34:48 182752 ----a-w- C:\Windows\System32\mfevtps.exe
2013-09-25 22:32:50 -------- d-----w- C:\Stinger_Quarantine
2013-09-25 22:32:49 -------- d-----w- C:\Program Files\stinger
2013-09-25 22:32:36 -------- d-----w- C:\Program Files\Common Files\McAfee
2013-09-25 22:12:00 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-09-25 22:11:57 9694160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D62BB37A-FE06-430C-94EE-DDA17D1451B0}\mpengine.dll
2013-09-25 22:11:57 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-09-25 22:11:57 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2013-09-25 22:10:51 1643520 ----a-w- C:\Windows\System32\DWrite.dll
2013-09-25 22:10:51 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll
2013-09-24 01:46:41 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2013-09-24 00:18:45 -------- d-----w- C:\Users\Jim\AppData\Roaming\SUPERAntiSpyware.com
2013-09-24 00:18:45 -------- d-----w- C:\Users\Jim\AppData\Local\Google
2013-09-24 00:18:42 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2013-09-24 00:18:42 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2013-09-23 23:44:01 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-09-23 23:44:00 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2013-09-23 23:44:00 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2013-09-23 23:44:00 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2013-09-23 23:36:34 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-09-23 23:25:00 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-09-23 23:25:00 367616 ----a-w- C:\Windows\System32\atmfd.dll
2013-09-23 23:25:00 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2013-09-23 23:25:00 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2013-09-23 23:24:23 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2013-09-23 23:24:23 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2013-09-23 23:24:23 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2013-09-23 23:24:23 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2013-09-23 23:24:23 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2013-09-23 23:24:23 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2013-09-23 23:24:23 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2013-09-23 23:17:24 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-09-23 23:17:24 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-09-23 23:17:24 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-09-23 23:17:24 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-09-23 23:17:24 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-09-23 22:37:56 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2013-09-23 22:36:55 155584 ----a-w- C:\Windows\System32\drivers\ataport.sys
2013-09-23 22:35:59 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2013-09-23 22:34:31 3155456 ----a-w- C:\Windows\System32\win32k.sys
2013-09-23 22:34:29 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-09-23 22:34:17 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2013-09-23 22:34:17 715776 ----a-w- C:\Windows\System32\kerberos.dll
2013-09-23 22:34:17 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2013-09-23 22:33:44 3216384 ----a-w- C:\Windows\System32\msi.dll
2013-09-23 22:33:43 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2013-09-23 22:23:44 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2013-09-23 22:15:57 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-09-23 22:15:57 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-09-23 22:15:57 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-09-23 22:12:00 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-09-23 22:11:53 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-09-23 22:11:47 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-09-23 22:11:47 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-09-22 01:39:28 -------- d-----w- C:\Users\Jim\AppData\Roaming\ICAClient
2013-09-22 01:39:01 -------- d-----w- C:\Users\Jim\AppData\Local\Citrix
2013-09-22 00:18:49 -------- d-----w- C:\Users\Jim\AppData\Local\Blizzard Entertainment
2013-09-21 23:20:16 -------- d-----w- C:\ProgramData\Blizzard Entertainment
2013-09-21 23:18:53 -------- d-----w- C:\ProgramData\Battle.net
2013-09-21 23:02:54 920864 ----a-w- C:\Windows\System32\nvvsvc.exe
2013-09-21 23:02:54 6599968 ----a-w- C:\Windows\System32\nvcpl.dll
2013-09-21 23:02:54 63776 ----a-w- C:\Windows\System32\nvshext.dll
2013-09-21 23:02:54 3452192 ----a-w- C:\Windows\System32\nvsvc64.dll
2013-09-21 23:02:54 3361114 ----a-w- C:\Windows\System32\nvcoproc.bin
2013-09-21 23:02:54 219424 ----a-w- C:\Windows\System32\nvmctray.dll
2013-09-21 23:02:13 61216 ----a-w- C:\Windows\System32\OpenCL.dll
2013-09-21 23:02:13 53024 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2013-09-21 23:01:26 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2013-09-21 23:01:16 -------- d-----w- C:\Windows\System32\appmgmt
2013-09-21 23:01:14 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2013-09-21 22:58:42 -------- d-----w- C:\Program Files\NVIDIA Corporation
2013-09-21 22:58:14 -------- d-----w- C:\NVIDIA
.
==================== Find3M  ====================
.
2013-09-23 23:36:34 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-09-12 08:58:10 9281032 ----a-w- C:\Windows\System32\nvcuda.dll
2013-08-20 04:48:42 95152 ----a-w- C:\Windows\System32\drivers\ctxusbm.sys
2013-08-07 18:43:14 70112 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2013-08-07 18:40:20 343568 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2013-08-07 18:38:20 776168 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2013-08-07 18:37:02 519064 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2013-08-07 18:36:06 310224 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2013-08-07 18:35:44 179664 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2013-08-07 10:22:02 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-08-02 02:23:53 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-02 02:15:44 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-02 02:15:03 362496 ----a-w- C:\Windows\System32\wow64win.dll
2013-08-02 02:15:03 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-02 02:15:03 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2013-08-02 02:14:57 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-08-02 02:14:11 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2013-08-02 02:13:34 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-08-02 01:59:30 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-02 01:50:42 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-02 01:50:42 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\Windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\Windows\System32\smss.exe
2013-08-02 00:45:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-02 00:45:36 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-02 00:45:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-02 00:43:05 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-07-09 13:34:48 10856 ----a-w- C:\Windows\System32\drivers\mfeclnrk.sys
2013-07-09 13:34:38 95984 ----a-w- C:\Windows\System32\drivers\mfencrk.sys
2013-07-09 13:34:30 377040 ----a-w- C:\Windows\System32\drivers\mfencbdc.sys
2013-07-09 05:52:52 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20 1472512 ----a-w- C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-07-06 06:03:53 1910208 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH:  9:52:28.84 ===============
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:01 AM

Posted 02 October 2013 - 10:00 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 mudbone62

mudbone62
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 02 October 2013 - 07:12 PM

Solved, but thank you for replying Nasdaq!

 

It turns out my IT group had been doing Citrix upgrades and had not disables a ton of things and/or just had wacky settings set.

 

I guess I am the only one that logged in over a 1.5 week span and noticed this, and they did not test it?

 

So yes, it was not a virus, but I am sure those of you that have experienced virus' and the odd activity they can create ma=y have felt the sdame.  Login in to Citrix and it starts auto starting multiple remote sessions, Symantec shields and language services icons relicating over and over in my task bar.

 

I finally realized the virus must be coming from my work PC, because I had cleaned the hell out of my home ones... so I pursued it there.  And we remoted in from another work PC and BAM!  Same thing.  Problem solved.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:01 AM

Posted 03 October 2013 - 07:49 AM

Thank you for the feed back.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:01 AM

Posted 03 October 2013 - 07:49 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users