I have a serious infection

2456714

Comments

  • dogmaryxx
    dogmaryxx Posts: 2,446 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    Try saving HitmanPro (32-bit) or HitmanPro (64-bit) depending on what system to your desktop.

    Then when you run it hold down the left CTRL-key when you start Hitman Pro and all non-essential processes are terminated, including the malware process.
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    See if you can get a log from this unless you are going to just format & reinstall.

    http://www.infospyware.net/sUBs/dds/
  • samdd
    samdd Posts: 1,344 Forumite
    waddler_8 wrote: »
    See if you can get a log from this unless you are going to just format & reinstall.

    http://www.infospyware.net/sUBs/dds/

    When i click on the link this is what im getting.. I think the malware infection knows whay im upto..

    Snapshot_15.jpg
  • samdd
    samdd Posts: 1,344 Forumite
    dogmaryxx wrote: »
    Try saving HitmanPro (32-bit) or HitmanPro (64-bit) depending on what system to your desktop.

    Then when you run it hold down the left CTRL-key when you start Hitman Pro and all non-essential processes are terminated, including the malware process.

    Downloaded the 32bit and ran a scan.. was going well until 77% when it closed down.. I tried to run another scan but the same think happend again..
  • samdd
    samdd Posts: 1,344 Forumite
    edited 26 September 2011 at 11:49PM
    i have a log from A DDS scan

    DDS txt.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
    Run by**** at 15:50:06 on 2011-09-26
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2038.1174 [GMT 1:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\437830538:1966925797.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
    C:\Windows\tsnpstd3.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Ares\Ares.exe
    C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Users\Kev B\hen.exe
    C:\Users\Kev B\gixen.exe
    C:\Users\Kev B\fen.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    mSearchAssistant = hxxp://start.facemoods.com/?a=bf2&s={searchTerms}&f=4
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {37483B40-C254-4A72-BDA4-22EE90182C1E} - No File
    uRun: [ares] "c:\program files\ares\Ares.exe" -h
    uRun: [siiikam] c:\users\****\siiikam.exe /N
    uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
    uRun: [gixen] c:\users\****\gixen.exe /K
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
    mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
    mRun: [VMonitorVMUVC] "c:\program files\vimicro corporation\vmuvc\VMonitor.exe" VMUVC
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\users\****~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{528E4786-4344-46FB-BE69-14D5B7F10E6C} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{6756A43C-7C73-4AE5-BFBB-0A7324897F63} : DhcpNameServer = 192.168.0.1
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\****\appdata\roaming\mozilla\firefox\profiles\ic1tlj6a.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
    R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2011-9-3 1740696]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-26 366152]
    R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2011-9-3 73216]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-14 22216]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-14 135664]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2011-9-3 102784]
    S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\drivers\ew_usbenumfilter.sys [2011-9-3 11136]
    S3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\drivers\ewusbwwan.sys [2011-9-3 353280]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-14 135664]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-10-14 9216]
    S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-24 52224]
    S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2011-5-10 252032]
    S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2011-5-10 398720]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-17 1343400]
    S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-10-14 114688]
    .
    =============== Created Last 30 ================
    .
    2011-09-26 14:41:11 159744 --sh--r- c:\users\****\gixen.exe
    2011-09-26 14:41:09 49664 ----a-w- c:\users\****\hen.exe
    2011-09-26 14:41:09 156137 ----a-w- c:\users\((****\fen.exe
    2011-09-26 12:58:49 709968 ----a-w- c:\windows\isRS-000.tmp
    2011-09-26 12:19:22 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{803d8f00-34e5-4ba1-a873-8e7575c5e4e8}\offreg.dll
    2011-09-26 12:05:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-09-24 11:01:48
    d
    w- c:\users\****\appdata\local\WinZip
    2011-09-24 10:41:23 781272 ----a-w- c:\program files\mozilla firefox\sqlite3.dll
    2011-09-24 10:41:05
    d
    w- c:\programdata\Premium
    2011-09-24 10:41:04
    d
    w- c:\programdata\InstallMate
    2011-09-23 17:38:11
    d
    w- c:\users\****\appdata\roaming\Thinstall
    2011-09-23 09:27:51 3315200 ----a-w- c:\windows\system32\fbc851b9.exe
    2011-09-23 09:15:36
    d
    w- c:\windows\Downloaded Installations
    2011-09-23 08:54:55 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{803d8f00-34e5-4ba1-a873-8e7575c5e4e8}\mpengine.dll
    2011-09-09 01:10:26 57344
    w- c:\windows\system32\mfc70enu.dll
    2011-09-09 01:10:20
    d
    w- c:\program files\common files\Macromedia Shared
    2011-09-09 01:10:18
    d
    w- c:\program files\common files\Macromedia
    2011-09-09 01:09:56
    d
    w- c:\program files\Macromedia
    2011-09-05 17:04:56 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2011-09-03 14:31:31
    d
    w- c:\users\****\appdata\roaming\Birdstep Technology
    2011-09-03 14:31:26
    d
    w- c:\programdata\Birdstep Technology
    2011-09-03 14:29:16
    d
    w- c:\program files\3 Mobile Broadband
    .
    ==================== Find3M ====================
    .
    2011-09-24 09:54:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-03 14:30:19 67156 ----a-w- c:\windows\Huawei ModemsUninstall.exe
    2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-23 15:44:16 681 ---ha-w- C:\os848618.bin
    2011-07-22 04:54:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-07-16 04:27:30 290816 ----a-w- c:\windows\system32\KernelBase.dll
    2011-07-16 02:17:19 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 02:17:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 02:17:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 02:17:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2011-07-09 04:29:46 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-07-09 02:30:00 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    .
    ============= FINISH: 15:51:05.49 ===============

    .
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    samdd wrote: »
    When i click on the link this is what im getting..

    It does that for me with FF too. Any joy with this link?

    http://download.bleepingcomputer.com/sUBs/dds.scr

    EDIT: Just seen your post above....
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    It's the Zero Access rootkit.
  • samdd
    samdd Posts: 1,344 Forumite
    waddler_8 wrote: »
    It does that for me with FF too. Any joy with this link?

    http://download.bleepingcomputer.com/sUBs/dds.scr

    EDIT: Just seen your post above....

    Ha i git it now.. Its DDS. i just posted the DDS log txt.
  • samdd
    samdd Posts: 1,344 Forumite
    waddler_8 wrote: »
    It's the Zero Access rootkit.

    is it sortable?
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    As you've posted here I'd wait for a reply...
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 349.9K Banking & Borrowing
  • 252.6K Reduce Debt & Boost Income
  • 453K Spending & Discounts
  • 242.8K Work, Benefits & Business
  • 619.6K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture