Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hidden Malware concerns. any assistance appreciated.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hidden Malware concerns. any assistance appreciated.

Unread postby Equaliser » November 5th, 2010, 1:27 pm

Hello all at malwareremoval forum

I am having trouble with my Windows 7 instalation on my PC.

I think it is malware related. I have used many Online scanners including Eset. Trendmicro Housecall. Bitdefender.
I have also ran numerous Anti-Virus and Anti-Spyware Scans using Spybot Search and Destroy. Malwarebytes. Superantispyware, Windows defender. None of these found anything at all in any of their scans including. Safe Mode scans I performed.
I always keep any security software I have installed up to date too.

On my system I have Norton Internet Security as my main security software. I use this as my real time scanner. So I never have any other AV or anti-spware real time scanners running at the time. Because i understand the issues this can cause. I use any other anti malware scanners I use as on demand scans. I shut them down after using them. Apart from Norton.

The two main reasons that are causing me concern are:

I use Rapport Trusteer as an extra password and anti keylogger device on my PC. Most of the major UK Banks recommend installing it. and Royal Bank of Scotland offer the download link on their site.
But every time I restart windows 7. I have to manually start Trusteer. I have checked that it is set to auto start in win7 services. and it is. So it should be starting automatically at win7 bootup.
According to Rapport Trusteer web site. Trusteer is fully compatible with most major security software including Norton IS 2011. It has been working absolutely fine up until recently.
I think some sort of malware that I cannot find that is causing Trusteer to stop working correctly.
I have un-installed and reinstalled trusteer. but it has not fixed it.

I also am having issues with typing anything including passwords, this thread and any input text on web sites including this one. The cursor moves around erratically and messes up what I type. I constantly have to correct my written text because of this.
For example. I am typing at this point in this thread. but I have to keep a keen eye on the position of my cursor because it can shoot of to a different point in this thread (further up) and mess up an earlier paragraph I have already typed. I have also reinstalled my specific Keyboard/Input Drivers. This too did not fix this problem. I also think this maybe malware.

I also have a slight delay when I type anything. This also happens when I log into windows 7, and type in my user name password.
This is another main reason I think there may be some sort of keylogging malware on my PC.

I use World of Warcraft. So I am pretty worried that somebody is trying to steal my account. by trying to steal my password.

Can I please have some assistance in making sure my PC is safe from any dangerous, especially hidden malware I am unable to find using standard methods.

Thanks in advance
Last edited by Equaliser on November 5th, 2010, 5:08 pm, edited 1 time in total.
Equaliser
Active Member
 
Posts: 10
Joined: March 27th, 2010, 12:19 pm
Advertisement
Register to Remove

Re: Hidden Malware concerns. any assistance appreciated.

Unread postby Equaliser » November 5th, 2010, 1:37 pm

Here is my HJT scan results:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:32:22, on 05/11/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\User\AppData\Local\Apps\2.0\77V1CKER.7GZ\TRHAPEWH.L37\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\CurseClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\coIEPlg.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Startup: CurseClientStartup.ccip
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - (no file)
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - (no file)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7f2308f435f2c4c1\aestsrv.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7f2308f435f2c4c1\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 4596 bytes
Equaliser
Active Member
 
Posts: 10
Joined: March 27th, 2010, 12:19 pm

Re: Hidden Malware concerns. any assistance appreciated.

Unread postby Equaliser » November 5th, 2010, 1:38 pm

Here is my HJT Unistall List:

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Auslogics BoostSpeed Special Edition
AxCrypt 1.7.2126.0
Broadcom Gigabit NetLink Controller
CA Yahoo! Anti-Spy (remove only)
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Dell Touchpad
Dell Wireless WLAN Card Utility
FileAlyzer
IDT Audio
InfraRecorder
Integrated Webcam Driver (1.06.03.0309)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Choice Guard
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.12)
Mozilla Thunderbird (3.1.4)
MSVCRT
Norton Internet Security
Radialpoint Security Advisor 2.5.13
Revo Uninstaller 1.90
RICOH Media Driver ver.2.07.01.04
Spybot - Search & Destroy
SUPERAntiSpyware
Ventrilo Client
Virgin Media Chat Extension 2.0.23
WIDCOMM Bluetooth Software 6.2.0.6600
Windows Live Communications Platform
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Writer
World of Warcraft
Equaliser
Active Member
 
Posts: 10
Joined: March 27th, 2010, 12:19 pm

Re: Hidden Malware concerns. any assistance appreciated.

Unread postby Equaliser » November 5th, 2010, 1:44 pm

Okay I have noticed something unusual straight off.
after reviewing the HJT Un-install list I created.
I can see that it shows there are a few entries that are Not installed on my system.

These are:

Windows Live Communications Platform
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Writer
Virgin Media Chat Extension 2.0.23

These are not installed on my PC. these entries also DO NOT show up in Revo Uninstaller or
in my Control Panel-Program and features.

So there is no option for me to uninstall these programs
Equaliser
Active Member
 
Posts: 10
Joined: March 27th, 2010, 12:19 pm

Re: Hidden Malware concerns. any assistance appreciated.

Unread postby Equaliser » November 5th, 2010, 2:19 pm

I ran A program called Rkill that I downloaded from bleepingcomputers.com

and it gave me an interesting log file scan results

here it is:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Mark on 05/11/2010 at 18:07:48.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Users\Mark\AppData\Local\Apps\2.0\77V1CKER.7GZ\TRHAPEWH.L37\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\CurseClient.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mark\Desktop\rkill.com


Rkill completed on 05/11/2010 at 18:07:57.

I sue Curse Client as the main World of warcraft addon installer and manager. it is used to add and remove any addons I use for WoW.
I am not sure why Rkill see's it as malware. can you clarify any about this.

It is the last few entries on the Rkill scan results that worry me
These entries:

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe

After some extensive searching online it seems that these are WORM related. am I right to think this ?

I posted the Rkill results because I am trying to make the finding the malware on my easier.

Would you agree that there is a worm malware on my system. if there is. How can I fully clean it ?
Equaliser
Active Member
 
Posts: 10
Joined: March 27th, 2010, 12:19 pm

Re: Hidden Malware concerns. any assistance appreciated.

Unread postby muppy03 » November 8th, 2010, 4:24 am

You have replied to your own topic, and as a result we must close this topic.

May I draw your attention to THIS topic, which you should have read before posting for help.

THIS is the section that tells you why you should not reply to your own topic.

This topic will now be closed

If you still require help, please open a new thread in the Malware Removal forum, post the logs asked for in the first topic I linked to and wait for assistance.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware