TechSpot

Can't get rid of armdl.adobe.com svchost virus

By caydee
Jan 17, 2011
  1. Hi there

    A few days ago, my AVG internet security started displaying a virus notification every five minutes:
    armdl.adobe.com/pub/adobe/reader/win/9x/9.4.0/en_US/AdbeRdr940_en_US.msi
    Virus found LOP
    Process name: C:\Windows\system32\svchost.eve
    Process ID: 1176 (this changes)

    AVG as well as ESET (installed after it started appearing) pick up nothing. Nor does Malwarebytes. I followed your 8 step program and here are my logs:

    MALWAREBYTES:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5542

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    1/17/2011 21:54:40
    mbam-log-2011-01-17 (21-54-40).txt

    Scan type: Quick scan
    Objects scanned: 155673
    Time elapsed: 4 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-17 21:31:56
    Windows 6.1.7600
    Running: 15qtyh2t.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\

    ---- EOF - GMER 1.0.15 ----

    DDS:


    DDS (Ver_10-12-12.02) - NTFS_AMD64
    Run by Caitlin at 21:55:21.47 on Mon 01/17/2011
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.816 [GMT 2:00]

    AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    AV: AVG Internet Security *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: AVG Internet Security *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Program Files (x86)\AVG\AVG9\avgchsva.exe
    C:\Program Files (x86)\AVG\AVG9\avgrsa.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
    C:\Program Files (x86)\AVG\AVG9\avgfws9.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    C:\Windows\system32\sppsvc.exe
    C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
    C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    C:\Program Files (x86)\AVG\AVG9\avgemc.exe
    C:\Program Files (x86)\AVG\AVG9\avgam.exe
    C:\Program Files (x86)\AVG\AVG9\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Users\Caitlin\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    C:\Program Files (x86)\AVG\AVG9\avgtray.exe
    C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files (x86)\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe
    C:\Program Files (x86)\Logitech\LWS\LU\LULnchr.exe
    C:\Program Files (x86)\Logitech\LWS\LU\LogitechUpdate.exe
    C:\Windows\system32\wuauclt.exe
    C:\Users\Caitlin\Desktop\dds.scr
    C:\Windows\system32\conhost.exe

    ============== Pseudo HJT Report ===============

    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    mWinlogon: Userinit=userinit.exe
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
    uRun: [googletalk] C:\Users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
    uRun: [Google Update] "C:\Users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Logitech Vid HD] "C:\Program Files (x86)\Logitech\Vid\vid.exe" -bootmode
    mRun: [AVG9_TRAY] C:\PROGRA~2\AVG\AVG9\avgtray.exe
    mRun: [MobileConnect] C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files (x86)\Silver Sands Poker\GameClient.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
    mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
    mRun-x64: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    mRun-x64: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    AppInit_DLLs-X64: avgrssta.dll

    ================= FIREFOX ===================

    FF - ProfilePath - C:\Users\Caitlin\AppData\Roaming\Mozilla\Firefox\Profiles\acrpqnig.default\
    FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Users\Caitlin\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSErHrw7a;AVG9IDSErHr;C:\Windows\System32\drivers\AVGIDSwa.sys [2010-5-1 27216]
    R0 AvgRkx64;avgrkx64.sys;C:\Windows\System32\drivers\avgrkx64.sys [2010-5-1 56008]
    R1 Avgfwfd;AVG network filter service;C:\Windows\System32\drivers\avgfwd6a.sys [2010-5-1 29976]
    R1 AvgLdx64;AVG AVI Loader Driver x64;C:\Windows\System32\drivers\avgldx64.sys [2010-5-1 269904]
    R1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;C:\Windows\System32\drivers\avgmfx64.sys [2010-5-1 35536]
    R1 AvgTdiA;AVG Network Redirector x64;C:\Windows\System32\drivers\avgtdia.sys [2010-5-1 317520]
    R2 avg9emc;AVG E-mail Scanner;C:\Program Files (x86)\AVG\AVG9\avgemc.exe [2010-6-22 921952]
    R2 avg9wd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe [2010-6-22 308136]
    R2 avgfws9;AVG Firewall;C:\Program Files (x86)\AVG\AVG9\avgfws9.exe [2010-6-22 2331544]
    R2 AVGIDSAgent;AVG9IDSAgent;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-6-22 5897808]
    R2 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2010-9-3 170104]
    R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2010-11-4 810144]
    R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2010-7-29 126320]
    R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
    R2 TeamViewer5;TeamViewer 5;C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-4-16 173352]
    R3 AVGIDSDriverw7a;AVG9IDSDriver;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN764\AVGIDSDriver.sys [2010-5-1 132688]
    R3 AVGIDSFilterw7a;AVG9IDSFilter;C:\Program Files (x86)\AVG\AVG9\Identity Protection\Agent\Driver\Platform_WIN764\AVGIDSFilter.sys [2010-5-1 35920]
    R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2010-5-7 30304]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
    R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-14 292864]
    R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-14 1485312]
    R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-14 740864]
    S2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-10-26 517448]
    S3 LVUVC64;Logitech Webcam 120(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2010-7-27 6465632]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]

    =============== Created Last 30 ================

    2011-01-17 19:47:04 -------- d-----w- C:\Users\Caitlin\AppData\Roaming\Malwarebytes
    2011-01-17 19:46:57 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-17 19:46:56 -------- d-----w- C:\PROGRA~3\Malwarebytes
    2011-01-17 19:46:53 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-01-17 19:46:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-01-16 17:08:37 388096 ----a-r- C:\Users\Caitlin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-16 17:08:34 -------- d-----w- C:\Program Files (x86)\Trend Micro
    2011-01-12 09:34:45 3124224 ----a-w- C:\Windows\System32\win32k.sys
    2011-01-12 09:32:45 720896 ----a-w- C:\Windows\System32\odbc32.dll
    2011-01-12 09:31:42 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
    2011-01-12 09:30:38 516096 ----a-w- C:\Program Files\Windows Mail\wab.exe
    2011-01-12 09:30:38 516096 ----a-w- C:\Program Files (x86)\Windows Mail\wab.exe
    2011-01-12 09:30:38 35328 ----a-w- C:\Program Files\Windows Mail\wabfind.dll
    2011-01-12 09:30:37 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
    2011-01-12 09:30:37 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
    2011-01-12 09:30:37 236032 ----a-w- C:\Windows\System32\srvsvc.dll
    2011-01-12 09:30:36 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
    2011-01-12 09:30:36 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
    2011-01-12 09:30:35 112000 ----a-w- C:\Windows\System32\consent.exe
    2011-01-12 09:18:39 -------- d-----w- C:\Program Files\ESET
    2011-01-12 08:21:07 691 ----a-w- C:\Users\Caitlin\AppData\Roaming\GetValue.vbs
    2011-01-12 08:21:07 35 ----a-w- C:\Users\Caitlin\AppData\Roaming\SetValue.bat
    2011-01-12 08:21:07 2130 ----a-w- C:\Windows\SysWow64\tmp.reg
    2010-12-30 15:44:52 176488 ----a-w- C:\PROGRA~3\Microsoft\Windows\Sqm\Manifest\Sqm10136.bin

    ==================== Find3M ====================

    2010-12-06 11:41:44 720896 ----a-w- C:\Windows\iun6002.exe
    2010-11-12 16:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
    2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
    2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
    2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
    2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
    2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
    2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
    2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
    2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
    2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
    2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
    2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
    2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
    2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
    2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
    2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
    2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2010-10-26 07:24:47 114688 ----a-w- C:\Windows\keymail.dll
    2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
    2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll

    ============= FINISH: 21:56:53.97 ===============

    ATTACH:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/1/2010 13:37:31
    System Uptime: 1/17/2011 21:32:49 (0 hours ago)

    Motherboard: Dell Inc. | | 0KU184
    Processor: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz | Microprocessor | 1782/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 75 GiB total, 17.759 GiB free.
    D: is CDROM (CDFS)

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP98: 1/16/2011 19:52:07 - Removed Rapport
    RP99: 1/16/2011 19:53:46 - Removed QuickTime
    RP100: 1/17/2011 15:52:56 - Installed Java(TM) 6 Update 23

    ==== Installed Programs ======================

    µTorrent
    Adobe Flash Player 10 Plugin
    Advertising Center
    Apple Application Support
    Apple Software Update
    AVG 9.0
    BlackBerry Desktop Software 6.0
    BlackBerry Device Manager 6.0
    CameraHelperMsi
    erLT
    Google Chrome
    Google Talk (remove only)
    GTK+ Runtime 2.14.7 rev a (remove only)
    HiJackThis
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 23
    LiveUpdate 3.3 (Symantec Corporation)
    Logitech Webcam Software
    LWS Facebook
    LWS Gallery
    LWS Help_main
    LWS Launcher
    LWS Pictures And Video
    LWS Video Mask Maker
    LWS Webcam Software
    LWS WLM Plugin
    LWS YouTube Plugin
    Malwarebytes' Anti-Malware
    McAfee Security Scan Plus
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 9 Lite
    Nero ControlCenter
    Nero Installer
    Nero Online Upgrade
    Nero StartSmart
    neroxml
    NoteTab Light 5 (Remove only)
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype Toolbars
    Skype™ 4.2
    Striata Reader
    TeamViewer 5
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2483110)
    VirtualCloneDrive
    Visual C++ 8.0 Runtime Setup Package (x64)
    Vodafone Mobile Connect
    VoiceOver Kit
    WinAce Archiver
    Windows Live Sign-in Assistant
    Windows Live Upload Tool

    ==== Event Viewer Messages From Past Week ========

    1/17/2011 20:32:48, Error: Service Control Manager [7034] - The AVG9IDSAgent service terminated unexpectedly. It has done this 1 time(s).
    1/17/2011 17:22:54, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
    1/17/2011 00:09:35, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Vodafone Mobile Connect Service service to connect.
    1/16/2011 19:16:35, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    1/16/2011 19:16:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    1/16/2011 19:16:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/16/2011 19:16:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    1/16/2011 19:16:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    1/16/2011 19:16:32, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/16/2011 19:16:24, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/16/2011 19:16:14, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd AvgLdx64 AvgMfx64 AvgTdiA CSC DfsC discache ehdrv ElbyCDIO NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    1/16/2011 19:16:14, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    1/16/2011 19:15:47, Error: sptd [4] - Driver detected an internal error in its data structures for .
    1/16/2011 18:58:41, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x0000000000000007, 0x0000000000001097, 0x0000000000000000, 0xfffff8a00941e010). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011611-27097-01.
    1/13/2011 16:42:52, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{0C9CD892-B0C2-4226-A056-69A41939A969} because another computer on the network has the same name. The server could not start.
    1/13/2011 08:20:01, Error: Service Control Manager [7022] - The Windows Search service hung on starting.
    1/13/2011 08:16:55, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    1/12/2011 13:14:30, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x0000000000000007, 0x0000000000001097, 0x0000000000000000, 0xfffffa8001ebd010). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011211-40638-01.
    1/12/2011 13:03:43, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000019 (0x0000000000000022, 0xfffffa8000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 011211-42713-01.
    1/12/2011 10:17:18, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd AvgLdx64 AvgMfx64 AvgTdiA CSC DfsC discache ElbyCDIO NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
    1/12/2011 09:48:51, Error: Service Control Manager [7023] - The Windows Modules Installer service terminated with the following error: The configuration registry database is corrupt.
    1/10/2011 16:53:16, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TeamViewer5 service.

    ==== End Of File ===========================

    Please help :)
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help you find the cause of the problem.

    First thing you must do though is remove one of the 3 antivirus programs you have running.
    AVG
    EsetNod32
    McAfee

    Having multiple AV programs-and firewalls will make your system more vulnerable. I will have you do an online Eset scan later. Here are tools to help with removal of program you don't want to keep:

    1. AVG Remover:64 bit
    AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
    Note: You will be asked during the removal procedure to restart your computer. Please do so.
    Make sure there is no open work in process prior to launching AVG Remover.
    2. Eset Nod32 Uninstall
    3. McAfee Removal
    Please reboot the computer when finished.
    ===============================================
    Note: To run the following Combofix scan, you will be required to uninstall AVG. The program will not run otherwise and there is no way to disable all of the processes. I recommend that you remove AVG and McAfee and keep Eset Nod32- the latter is the better of the programs in my opinion.
    ================================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =========================================
    armdl.adobe.com is the Domain name for NTT-COMMUNICATIONS-2914 - NTT America, Inc.
    OrgName: NTT America, Inc.
    OrgId: NTTAM-1
    Address: 8005 South Chester Street
    Address: Suite 200
    City: Centennial
    StateProv: CO
    ==========================================
    I need to see the IP on your system:
    Click on Start> Run> type in cmd> enter> at the C prompt, type in netstat -an
    Note that there is a space after netstat before the -an.

    I need to see what is on your system for Name Server. I don't see any proxy setting in these logs. Please advise me if you have proxies set.
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. caydee

    caydee TS Rookie Topic Starter

    Svchost.exe virus combofix results

    Hi there

    Thank you for your help. I uninstalled all the antivirus software on my PC, including ESET.

    I then ran Combofix and here is the log: (it did not ask me to install Windows recovery console)

    ComboFix 11-01-17.04 - Caitlin 01/18/2011 11:19:22.1.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2038.1142 [GMT 2:00]
    Running from: c:\users\Caitlin\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\install.exe
    c:\windows\system32\404Fix.exe
    c:\windows\system32\Agent.OMZ.Fix.exe
    c:\windows\system32\dumphive.exe
    c:\windows\system32\IEDFix.C.exe
    c:\windows\system32\IEDFix.exe
    c:\windows\system32\o4Patch.exe
    c:\windows\system32\Process.exe
    c:\windows\system32\SrchSTS.exe
    c:\windows\system32\tmp.reg
    c:\windows\system32\VACFix.exe
    c:\windows\system32\VCCLSID.exe
    c:\windows\system32\WS2Fix.exe
    c:\windows\System3215.exe
    c:\windows\SysWow64\404Fix.exe
    c:\windows\SysWow64\Agent.OMZ.Fix.exe
    c:\windows\SysWow64\dumphive.exe
    c:\windows\SysWow64\IEDFix.C.exe
    c:\windows\SysWow64\IEDFix.exe
    c:\windows\SysWow64\o4Patch.exe
    c:\windows\SysWow64\Process.exe
    c:\windows\SysWow64\SrchSTS.exe
    c:\windows\SysWow64\tmp.reg
    c:\windows\SysWow64\VACFix.exe
    c:\windows\SysWow64\VCCLSID.exe
    c:\windows\SysWow64\WS2Fix.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
    .

    2011-01-18 09:28 . 2011-01-18 09:28 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-18 08:54 . 2011-01-18 08:54 -------- d-s---w- c:\windows\SysWow64\Microsoft
    2011-01-17 19:47 . 2011-01-17 19:47 -------- d-----w- c:\users\Caitlin\AppData\Roaming\Malwarebytes
    2011-01-17 19:46 . 2010-12-20 16:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-17 19:46 . 2011-01-17 19:46 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-17 19:46 . 2011-01-17 19:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-01-17 19:46 . 2010-12-20 16:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-16 17:08 . 2011-01-16 17:08 388096 ----a-r- c:\users\Caitlin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-01-16 17:08 . 2011-01-16 17:08 -------- d-----w- c:\program files (x86)\Trend Micro
    2011-01-12 09:34 . 2010-10-20 03:09 3124224 ----a-w- c:\windows\system32\win32k.sys
    2011-01-12 09:32 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-12 09:31 . 2010-08-31 04:32 954752 ----a-w- c:\windows\SysWow64\mfc40.dll
    2011-01-12 09:30 . 2010-10-12 05:05 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2011-01-12 09:30 . 2010-10-12 05:00 516096 ----a-w- c:\program files\Windows Mail\wab.exe
    2011-01-12 09:30 . 2010-10-12 04:25 516096 ----a-w- c:\program files (x86)\Windows Mail\wab.exe
    2011-01-12 09:30 . 2010-08-27 06:14 236032 ----a-w- c:\windows\system32\srvsvc.dll
    2011-01-12 09:30 . 2010-08-27 03:38 463360 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-01-12 09:30 . 2010-08-27 03:37 402944 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-01-12 09:30 . 2010-08-27 05:46 9728 ----a-w- c:\windows\SysWow64\sscore.dll
    2011-01-12 09:30 . 2010-08-27 03:37 161792 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-01-12 09:30 . 2010-10-16 05:23 112000 ----a-w- c:\windows\system32\consent.exe
    2011-01-12 08:21 . 2011-01-16 17:19 691 ----a-w- c:\users\Caitlin\AppData\Roaming\GetValue.vbs
    2011-01-12 08:21 . 2011-01-16 17:19 35 ----a-w- c:\users\Caitlin\AppData\Roaming\SetValue.bat
    2010-12-30 15:44 . 2010-12-30 15:44 176488 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10136.bin

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-06 11:41 . 2010-12-06 11:42 720896 ----a-w- c:\windows\iun6002.exe
    2010-11-12 16:53 . 2010-05-02 15:24 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2010-10-26 07:24 . 2010-10-26 07:24 114688 ----a-w- c:\windows\keymail.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-04-20 26192680]
    "googletalk"="c:\users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "Google Update"="c:\users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-09-02 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "MobileConnect"="c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-11-04 2087424]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-11-17 421160]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    R3 LVUVC64;Logitech Webcam 120(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-07-27 6465632]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-19 50688]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-16 834544]
    S2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]
    S2 TeamViewer5;TeamViewer 5;c:\program files (x86)\TeamViewer\Version5\TeamViewer_Service.exe [2010-04-16 173352]
    S2 VMCService;Vodafone Mobile Connect Service;c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-11-04 14336]
    S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-07 30304]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2109998-1175625865-2874948040-1001Core.job
    - c:\users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 18:08]

    2011-01-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2109998-1175625865-2874948040-1001UA.job
    - c:\users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-02 18:08]
    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SYSTEM32\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    FF - ProfilePath - c:\users\Caitlin\AppData\Roaming\Mozilla\Firefox\Profiles\acrpqnig.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    .
    - - - - ORPHANS REMOVED - - - -

    Wow6432Node-HKCU-Run-msnmsgr - c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe
    Wow6432Node-HKCU-Run-Logitech Vid HD - c:\program files (x86)\Logitech\Vid\vid.exe
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-01-18 11:44:31
    ComboFix-quarantined-files.txt 2011-01-18 09:44

    Pre-Run: 19,594,711,040 bytes free
    Post-Run: 19,474,944,000 bytes free

    - - End Of File - - B1EC95968B4520EAD8AB233C26C34D6B

    Here are the results of netstat -an (I do not have any proxies set)
    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Users\Caitlin>netstat -an
    Active Connections
    ========================================
    Please advise. :)
    Thanks again
    ========================================
    Edit: Thank you. I have made note of the IPs and am deleting them for your safety.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please install an antivirus program now. While you will need to disable it to run the following scan, you still need to have an AV program running. Use one of these free, good choices for now:
    Avira Free
    Avast Home

    Please reboot the computer when done. Then run the following online virus scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I did not see any of the IPs I found associated with the adobe.adobe.com. I then deleted the IP information for your safety. I'll be checking the rest of the Combofix log while you do that.
     
  5. caydee

    caydee TS Rookie Topic Starter

    Results of ESET onlinescanner

    Log file:
    ESETSmartInstaller@High as downloader log:
    Can not extract cabC:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScanner.cabErr:The operation completed successfully.
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=1eea58f233e9f04d894c579e926188be
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-01-18 09:45:39
    # local_time=2011-01-18 11:45:39 (+0200, South Africa Standard Time)
    # country="United States"
    # lang=1033
    # osver=6.1.7600 NT
    # compatibility_mode=512 16777215 100 0 185718 185718 0 0
    # compatibility_mode=1029 16777214 0 1 42069 42069 0 0
    # compatibility_mode=5893 16776574 100 94 18759023 47833565 0 0
    # compatibility_mode=8199 22379965 100 76 1361 6499826 0 0
    # scanned=105247
    # found=7
    # cleaned=0
    # scan_time=3728
    # nod_component=V3 Build:0x30000000
    C:\Qoobox\Quarantine\C\Windows\SysWOW64\Process.exe.vir Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Caitlin\Desktop\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Caitlin\Desktop\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Caitlin\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Caitlin\Documents\Programs\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Caitlin\Documents\Programs\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\Caitlin\Documents\Programs\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I




    I installed ESET NOD32 trial version, as I already had a recent install file for it. I tried multiple times on both chrome and firefox to download either avast or avira (before installing ESET), but every time the download cut out midway (not due to a faulty internet connection).

    SmitFraudFix is a anti-desktop hijack program i tried to get rid of the virus before, must I uninstall it?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't know where my reply went, but I did make it!
    No, it is not.

    The author of the SmutFraudFix program has this description and this warning:
    IF you suspect malware, rather than look around the internet for some program to try, let us help you. You can damage the system and possibly get it unbootable.

    I don't know where you downloaded this program- Possibly for a site that had bad entries. I am removing the infected files but I also recommend that you uninstall SmitFraudFix. This is a program that should only be run for certain malware infections. It is not a program you put on the system for security.
    ========================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      	
      :Files  
      C:\Users\Caitlin\Desktop\SmitfraudFix.exe 
      C:\Users\Caitlin\Desktop\SmitfraudFix\Process.exe ;C
      :\Users\Caitlin\DesktopSmitfraudFixx\restartexee 
      C:\Users\Caitlin\Documents\ProgramsSmitfraudFixxexee 
      C:\Users\Caitlin\Documents\ProgramsSmitfraudFixx\Processexee 
      C:\Users\Caitlin\Documents\ProgramsSmitfraudFixx\restartexee 
      :Commands
      [purity]
      emptytempp]
      [start explorer]
      [Reboot]
    • Return toOTMoveItt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red [bMoveitt![/b] button.
    • A log of files and folders moved will be created in the c:_OTMoveIttMovedFiless folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close [bOTMoveItt3[/b]
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ============================================
    Combofix removed files associated with SmitFraud. But since you ran the program previously and I don't know what was on the system and since Eset shows infected files, I'm not sure if you have left-over SF files from the program itself or whether it's the SF infection.

    So run OTM and uninstall the SmitFraudFix. I will recommend other security programs for the system. After the uninstall, use Windows Explorer to delete the program folder:
    Windows key + E> My Computer> Double click on Local Drive (C)> Programs> scroll to the SmitFraudFix folder and do a right click> Delete. Then close Windows Explorer.
    Reboot
    =========================================
    Let me know how the system is running and scan with the following:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  7. caydee

    caydee TS Rookie Topic Starter

    Results of OTM and HiJackThis

    Hi again

    Sorry for using SmitFraudFix, the only reason I used it is because my old computer technician left it lying around my computer, and i was slightly insane/desperate :p
    Didn't do any damage though.

    Here are the results of OTM:
    Error: Unable to interpret < > in the current context!
    ========== FILES ==========
    C:\Users\Caitlin\Desktop\SmitfraudFix.exe moved successfully.
    File/Folder C:\Users\Caitlin\Desktop\SmitfraudFix\Process.exe ;C not found.
    Error: Unable to interpret <:\Users\Caitlin\DesktopSmitfraudFixx\restartexee > in the current context!
    Error: Unable to interpret <C:\Users\Caitlin\Documents\ProgramsSmitfraudFixxexee > in the current context!
    Error: Unable to interpret <C:\Users\Caitlin\Documents\ProgramsSmitfraudFixx\Processexee > in the current context!
    Error: Unable to interpret <C:\Users\Caitlin\Documents\ProgramsSmitfraudFixx\restartexee > in the current context!
    ========== COMMANDS ==========

    OTM by OldTimer - Version 3.1.17.2 log created on 01212011_111938

    I manually deleted SmitFraudFix off my pc.
    Here are the results of the HijackThis scan:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:45:58, on 1/21/2011
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16700)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe
    C:\Users\Caitlin\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
    C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
    C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
    C:\Program Files (x86)\Logitech\LWS\LU\LULnchr.exe
    C:\Program Files (x86)\Logitech\LWS\LU\LogitechUpdate.exe
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files (x86)\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\HijackThis\HijackThis.exe
    C:\Windows\SysWOW64\DllHost.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O4 - HKLM\..\Run: [MobileConnect] C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [googletalk] C:\Users\Caitlin\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Caitlin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Silver Sands Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files (x86)\Silver Sands Poker\GameClient.exe (file missing)
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 7559 bytes

    However, i got two errors when attempting to run it. I have attached these.
    I opened C:\Windows\System32\drivers\etc\hosts in notepad as indicated - it came up blank. I then tried to resave it as "hosts" and it came back as Access Denied.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Make sure you uninstalled it in add/Remove Programs and deleted the program folder.

    Sorry about HJT. Must have had a brain drain yesterday- told 2 members with 64bit OS to run HJT and it doesn't scan properly. My bad! But what I do see is okay.

    I think this is the bad guy: 2010-12-06 11:42 720896 ----a-w- c:\windows\iun6002.exe
    This process is for Spyware.DsktopSurveil which logs keystrokes, program use, and captures screenshots. It can run in hidden mode. It monitors user Internet activity and private information. It sends stolen data to a hacker site. A one word description is keylogger.

    Spyware.DsktopSurveil must be manually installed.

    Did you install this? If not, did someone else have access to the system?

    I cannot find any recommendation that this might be a keylogger that a user would install on their own system. It is considered dangerous. In short, your system has been compromised and since it can run hidden, there is no way fr you to know how long it's been on the system.

    At this point, I strongly recommended that you change all of your passwords and monitor any financial transactions on the internet. You should reformat and reinstall the OS. Once done, if you establish that you are clean, you can set new passwords.
     
  9. caydee

    caydee TS Rookie Topic Starter

    Spyware.DsktopSurveil

    Hi there

    I have no idea how that could have gotten onto my PC. Which is scary in itself. However, at least now I can remove it...

    One question, I will reformat and reinstall but is it alright for me to copy my docs over to my portable harddrive or is it possible for the keylogger program to "jump across" like a worm?

    I'm thinking probably not, but I wanted to make sure!
    Thank you for all your help, I will let you know how it goes.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Most keylogger programs are transferred directly onto a user’s machine through a secondary storage device, like a DVD drive, or removable storage media, like USB flash drives. The files can also be attached to downloads from unsecured sources like most other malware, as keyloggers are essentially Trojans by nature.

    So to be on the safe side, you should disinfect the flash drive first:

    Threat Removal Procedure:

    • [1]. Download Flash_Disinfector and save it to your Desktop.
      [2]. After downloading, double-click on Flash_Disinfector to run it.
      [3]. Just follow the prompts and continue until it begin scanning.
      [​IMG]
      [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
      [5]. It will scan removable drives, wait for the scan to finish. Done.

    What will Flash Disinfector Do
    - Clean up junks created by flash malwares
    - Deletes autorun.inf from every root folder
    - Fix back damages done to your system
    - Creates an autorun.inf folder in the root of your system drives

    The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.

    Please do so and allow the utility to clean up those drives as well.
    Wait until it has finished scanning and then exit the program.
    Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

    Reformatting must be done through the use of an installation CD. Since the machine is booted up through the use of an installation CD, the keylogger is no longer resident in the main memory and therefore is subject to removal.

    Don't back u or transfer any executable files> files with .exe extension. If you have any doubt at all. scan the files on the flash drive before putting them back on the system.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...