Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ADOBE & GOOGLE instances - HELP BEFORE MARCH 11

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

ADOBE & GOOGLE instances - HELP BEFORE MARCH 11

Unread postby JenzAgem » February 21st, 2012, 1:50 am

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:42:55 PM, on 2/20/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
C:\Windows\PLFSetI.exe
C:\Users\Jenna\Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKCU\..\Run: [Global Registration] "C:\Program Files (x86)\Acer\Registration\GREG.exe" BOOT
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Users\Jenna\Downloads\HijackThis.exe /startupscan
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (BitDefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: SafeBox - Bitdefender - C:\Program Files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: BitDefender Update Server v2 (Update Server) - BitDefender - C:\Program Files\Common Files\Bitdefender\Bitdefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Updater Service - Acer - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (UPDATESRV) - Bitdefender - C:\Program Files\Bitdefender\Bitdefender 2012\updatesrv.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: BitDefender Virus Shield (vsserv) - Bitdefender - C:\Program Files\Bitdefender\Bitdefender 2012\vsserv.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5895 bytes
JenzAgem
Active Member
 
Posts: 3
Joined: February 21st, 2012, 1:43 am
Advertisement
Register to Remove

AND--- ADOBE & GOOGLE instances - HELP BEFORE MARCH 11

Unread postby JenzAgem » February 21st, 2012, 1:51 am

Results of system analysis
Kaspersky Virus Removal Tool 11.0.0.1245 (database released 20/02/2012; 14:23)

List of processes
File name PID Description Copyright MD5 Information
agr64svc.exe
Script: Quarantine, Delete, BC delete, Terminate 1492 ?? error getting file info
Command line:
ALU.exe
Script: Quarantine, Delete, BC delete, Terminate 1072 ?? error getting file info
Command line:
c:\program files (x86)\newtech infosystems\acer backup manager\backupmanagertray.exe
Script: Quarantine, Delete, BC delete, Terminate 472 Acer Backup Manager Copyright (C) 2009, NewTech Infosystems, Inc. All rights reserved. ?? 255.75 kb, rsAh,
created: 20.08.2009 16:25:56,
modified: 20.08.2009 16:25:56
Command line:
"C:\ProgramFiles(x86)\NewTechInfosystems\AcerBackupManager\BackupManagerTray.exe"-h-k
bdagent.exe
Script: Quarantine, Delete, BC delete, Terminate 2216 ?? error getting file info
Command line:
caller64.exe
Script: Quarantine, Delete, BC delete, Terminate 5072 ?? error getting file info
Command line:
ePowerEvent.exe
Script: Quarantine, Delete, BC delete, Terminate 4856 ?? error getting file info
Command line:
ePowerSvc.exe
Script: Quarantine, Delete, BC delete, Terminate 1616 ?? error getting file info
Command line:
ePowerTray.exe
Script: Quarantine, Delete, BC delete, Terminate 4020 ?? error getting file info
Command line:
mcsacore.exe
Script: Quarantine, Delete, BC delete, Terminate 1468 ?? error getting file info
Command line:
RAVCpl64.exe
Script: Quarantine, Delete, BC delete, Terminate 3924 ?? error getting file info
Command line:
safeboxservice.exe
Script: Quarantine, Delete, BC delete, Terminate 2340 ?? error getting file info
Command line:
SynTPEnh.exe
Script: Quarantine, Delete, BC delete, Terminate 3936 ?? error getting file info
Command line:
SynTPHelper.exe
Script: Quarantine, Delete, BC delete, Terminate 3520 ?? error getting file info
Command line:
TrustedInstaller.exe
Script: Quarantine, Delete, BC delete, Terminate 4192 ?? error getting file info
Command line:
updatesrv.exe
Script: Quarantine, Delete, BC delete, Terminate 2468 ?? error getting file info
Command line:
vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate 832 ?? error getting file info
Command line:
wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate 4628 ?? error getting file info
Command line:
Detected:69, recognized as trusted 53
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\MUI\0409\lang.dll
Script: Quarantine, Delete, BC delete 268435456 Acer Backup Manager Copyright (C) 2009, NewTech Infosystems, Inc. All rights reserved. -- 472
Modules detected:288, recognized as trusted 287

Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\Drivers\dump_dumpfve.sys
Script: Quarantine, Delete, BC delete 99EA000 013000 (77824)
C:\Windows\System32\Drivers\dump_iaStor.sys
Script: Quarantine, Delete, BC delete 34CA000 11C000 (1163264)
Modules detected - 164, recognized as trusted - 162

Services
Service Description Status File Group Dependencies
Detected - 162, recognized as trusted - 162

Drivers
Service Description Status File Group Dependencies
DgiVecp
Driver: Unload, Delete, Disable, BC delete DgiVecp Not started C:\Windows\system32\Drivers\DgiVecp.sys
Script: Quarantine, Delete, BC delete
RtsUIR
Driver: Unload, Delete, Disable, BC delete Realtek IR Driver Not started C:\Windows\system32\DRIVERS\Rts516xIR.sys
Script: Quarantine, Delete, BC delete
SSPORT
Driver: Unload, Delete, Disable, BC delete SSPORT Not started C:\Windows\system32\Drivers\SSPORT.sys
Script: Quarantine, Delete, BC delete
USBCCID
Driver: Unload, Delete, Disable, BC delete Realtek Smartcard Reader Driver Not started C:\Windows\system32\DRIVERS\RtsUCcid.sys
Script: Quarantine, Delete, BC delete
Detected - 258, recognized as trusted - 254

Autoruns
File name Status Startup method Description
C:\Program Files (x86)\McAfee\VirusScan\NAIEvent.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\McLogEvent, EventMessageFile
C:\Program Files\Common Files\Bitdefender\eventlog.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Arrakis3, EventMessageFile
C:\Users\Jenna\AppData\Local\Temp\_uninst_60792897.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\Jenna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Jenna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_60792897.lnk,
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
auditcse.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName
Delete
igfxdev.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
Autoruns items detected - 566, recognized as trusted - 559

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Elements detected - 7, recognized as trusted - 7

Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Delete
ColumnHandler BDFVCtxMenuExt
Delete
ColumnHandler {F9DB5320-233E-11D1-9F84-707F02C10627}
Delete
Elements detected - 26, recognized as trusted - 23

Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
cl31cl6.dll
Script: Quarantine, Delete, BC delete Monitor CL31C Langmon
localspl.dll
Script: Quarantine, Delete, BC delete Monitor Local Port
FXSMON.DLL
Script: Quarantine, Delete, BC delete Monitor Microsoft Shared Fax Monitor
tcpmon.dll
Script: Quarantine, Delete, BC delete Monitor Standard TCP/IP Port
usbmon.dll
Script: Quarantine, Delete, BC delete Monitor USB Monitor
WSDMon.dll
Script: Quarantine, Delete, BC delete Monitor WSD Port
inetpp.dll
Script: Quarantine, Delete, BC delete Provider HTTP Print Services
Elements detected - 8, recognized as trusted - 1

Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 3, recognized as trusted - 3

SPI/LSP settings
Namespace providers (NSP) Provider Status EXE file Description GUID
Detected - 6, recognized as trusted - 6
Transport protocol providers (TSP, LSP) Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [884] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
3939 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5151 LISTENING 0.0.0.0 0 [2292] c:\program files (x86)\newtech infosystems\nti backup now 5\schedulersvc.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 TIME_WAIT 127.0.0.1 49353 [0]
5357 TIME_WAIT 127.0.0.1 49354 [0]
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
8093 LISTENING 0.0.0.0 0 [1180] c:\program files (x86)\acer\registration\greghsrw.exe
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
24961 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
27827 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
38928 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
48752 LISTENING 0.0.0.0 0 [2468] updatesrv.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [556] wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [968] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49163 LISTENING 0.0.0.0 0 [632] lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49176 LISTENING 0.0.0.0 0 [616] services.exe
Script: Quarantine, Delete, BC delete, Terminate
49177 LISTENING 0.0.0.0 0 [3440] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49178 LISTENING 0.0.0.0 0 [1348] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
51099 LISTENING 0.0.0.0 0 [2340] safeboxservice.exe
Script: Quarantine, Delete, BC delete, Terminate
57322 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
65046 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3544 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1236] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
10000 LISTENING -- -- [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
50317 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50318 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50609 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50868 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
52845 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
55427 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 1, recognized as trusted - 1

Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 18, recognized as trusted - 18

Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file
Hosts file record

Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 15, recognized as trusted - 12

Suspicious objects
File Description Type


--------------------------------------------------------------------------------

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7600, SP=""
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete

Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardOperations with AVZPM (true=enable,false=disable)BootCleaner - import list of deleted filesBootCleaner - import allRegistry cleanup after deleting filesExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizardBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user accessSecurity: disable sending Remote Assistant queries--------------------------------------------------------------------------------
File list
JenzAgem
Active Member
 
Posts: 3
Joined: February 21st, 2012, 1:43 am

AND--- ADOBE & GOOGLE instances - HELP BEFORE MARCH 11

Unread postby JenzAgem » February 21st, 2012, 1:51 am

Results of system analysis
Kaspersky Virus Removal Tool 11.0.0.1245 (database released 20/02/2012; 14:23)

List of processes
File name PID Description Copyright MD5 Information
agr64svc.exe
Script: Quarantine, Delete, BC delete, Terminate 1492 ?? error getting file info
Command line:
ALU.exe
Script: Quarantine, Delete, BC delete, Terminate 1072 ?? error getting file info
Command line:
c:\program files (x86)\newtech infosystems\acer backup manager\backupmanagertray.exe
Script: Quarantine, Delete, BC delete, Terminate 472 Acer Backup Manager Copyright (C) 2009, NewTech Infosystems, Inc. All rights reserved. ?? 255.75 kb, rsAh,
created: 20.08.2009 16:25:56,
modified: 20.08.2009 16:25:56
Command line:
"C:\ProgramFiles(x86)\NewTechInfosystems\AcerBackupManager\BackupManagerTray.exe"-h-k
bdagent.exe
Script: Quarantine, Delete, BC delete, Terminate 2216 ?? error getting file info
Command line:
caller64.exe
Script: Quarantine, Delete, BC delete, Terminate 5072 ?? error getting file info
Command line:
ePowerEvent.exe
Script: Quarantine, Delete, BC delete, Terminate 4856 ?? error getting file info
Command line:
ePowerSvc.exe
Script: Quarantine, Delete, BC delete, Terminate 1616 ?? error getting file info
Command line:
ePowerTray.exe
Script: Quarantine, Delete, BC delete, Terminate 4020 ?? error getting file info
Command line:
mcsacore.exe
Script: Quarantine, Delete, BC delete, Terminate 1468 ?? error getting file info
Command line:
RAVCpl64.exe
Script: Quarantine, Delete, BC delete, Terminate 3924 ?? error getting file info
Command line:
safeboxservice.exe
Script: Quarantine, Delete, BC delete, Terminate 2340 ?? error getting file info
Command line:
SynTPEnh.exe
Script: Quarantine, Delete, BC delete, Terminate 3936 ?? error getting file info
Command line:
SynTPHelper.exe
Script: Quarantine, Delete, BC delete, Terminate 3520 ?? error getting file info
Command line:
TrustedInstaller.exe
Script: Quarantine, Delete, BC delete, Terminate 4192 ?? error getting file info
Command line:
updatesrv.exe
Script: Quarantine, Delete, BC delete, Terminate 2468 ?? error getting file info
Command line:
vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate 832 ?? error getting file info
Command line:
wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate 4628 ?? error getting file info
Command line:
Detected:69, recognized as trusted 53
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\MUI\0409\lang.dll
Script: Quarantine, Delete, BC delete 268435456 Acer Backup Manager Copyright (C) 2009, NewTech Infosystems, Inc. All rights reserved. -- 472
Modules detected:288, recognized as trusted 287

Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\Drivers\dump_dumpfve.sys
Script: Quarantine, Delete, BC delete 99EA000 013000 (77824)
C:\Windows\System32\Drivers\dump_iaStor.sys
Script: Quarantine, Delete, BC delete 34CA000 11C000 (1163264)
Modules detected - 164, recognized as trusted - 162

Services
Service Description Status File Group Dependencies
Detected - 162, recognized as trusted - 162

Drivers
Service Description Status File Group Dependencies
DgiVecp
Driver: Unload, Delete, Disable, BC delete DgiVecp Not started C:\Windows\system32\Drivers\DgiVecp.sys
Script: Quarantine, Delete, BC delete
RtsUIR
Driver: Unload, Delete, Disable, BC delete Realtek IR Driver Not started C:\Windows\system32\DRIVERS\Rts516xIR.sys
Script: Quarantine, Delete, BC delete
SSPORT
Driver: Unload, Delete, Disable, BC delete SSPORT Not started C:\Windows\system32\Drivers\SSPORT.sys
Script: Quarantine, Delete, BC delete
USBCCID
Driver: Unload, Delete, Disable, BC delete Realtek Smartcard Reader Driver Not started C:\Windows\system32\DRIVERS\RtsUCcid.sys
Script: Quarantine, Delete, BC delete
Detected - 258, recognized as trusted - 254

Autoruns
File name Status Startup method Description
C:\Program Files (x86)\McAfee\VirusScan\NAIEvent.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\McLogEvent, EventMessageFile
C:\Program Files\Common Files\Bitdefender\eventlog.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Arrakis3, EventMessageFile
C:\Users\Jenna\AppData\Local\Temp\_uninst_60792897.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\Jenna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Jenna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_60792897.lnk,
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
auditcse.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}, DLLName
Delete
igfxdev.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui, DLLName
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
Autoruns items detected - 566, recognized as trusted - 559

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Elements detected - 7, recognized as trusted - 7

Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Delete
ColumnHandler BDFVCtxMenuExt
Delete
ColumnHandler {F9DB5320-233E-11D1-9F84-707F02C10627}
Delete
Elements detected - 26, recognized as trusted - 23

Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
cl31cl6.dll
Script: Quarantine, Delete, BC delete Monitor CL31C Langmon
localspl.dll
Script: Quarantine, Delete, BC delete Monitor Local Port
FXSMON.DLL
Script: Quarantine, Delete, BC delete Monitor Microsoft Shared Fax Monitor
tcpmon.dll
Script: Quarantine, Delete, BC delete Monitor Standard TCP/IP Port
usbmon.dll
Script: Quarantine, Delete, BC delete Monitor USB Monitor
WSDMon.dll
Script: Quarantine, Delete, BC delete Monitor WSD Port
inetpp.dll
Script: Quarantine, Delete, BC delete Provider HTTP Print Services
Elements detected - 8, recognized as trusted - 1

Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 3, recognized as trusted - 3

SPI/LSP settings
Namespace providers (NSP) Provider Status EXE file Description GUID
Detected - 6, recognized as trusted - 6
Transport protocol providers (TSP, LSP) Provider EXE file Description
Detected - 10, recognized as trusted - 10
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [884] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
554 LISTENING 0.0.0.0 0 [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
2869 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
3939 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5151 LISTENING 0.0.0.0 0 [2292] c:\program files (x86)\newtech infosystems\nti backup now 5\schedulersvc.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 TIME_WAIT 127.0.0.1 49353 [0]
5357 TIME_WAIT 127.0.0.1 49354 [0]
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
8093 LISTENING 0.0.0.0 0 [1180] c:\program files (x86)\acer\registration\greghsrw.exe
Script: Quarantine, Delete, BC delete, Terminate
10243 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
24961 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
27827 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
38928 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
48752 LISTENING 0.0.0.0 0 [2468] updatesrv.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [556] wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [968] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49163 LISTENING 0.0.0.0 0 [632] lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49176 LISTENING 0.0.0.0 0 [616] services.exe
Script: Quarantine, Delete, BC delete, Terminate
49177 LISTENING 0.0.0.0 0 [3440] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49178 LISTENING 0.0.0.0 0 [1348] spoolsv.exe
Script: Quarantine, Delete, BC delete, Terminate
51099 LISTENING 0.0.0.0 0 [2340] safeboxservice.exe
Script: Quarantine, Delete, BC delete, Terminate
57322 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
65046 LISTENING 0.0.0.0 0 [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3544 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5004 LISTENING -- -- [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5005 LISTENING -- -- [4628] wmpnetwk.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1236] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
10000 LISTENING -- -- [832] vsserv.exe
Script: Quarantine, Delete, BC delete, Terminate
50317 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50318 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50609 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50868 LISTENING -- -- [1036] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
52845 LISTENING -- -- [1540] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
55427 LISTENING -- -- [404] svchost.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 1, recognized as trusted - 1

Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 18, recognized as trusted - 18

Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9

HOSTS file
Hosts file record

Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 15, recognized as trusted - 12

Suspicious objects
File Description Type


--------------------------------------------------------------------------------

Main script of analysis
Windows version: Windows 7 Home Premium, Build=7600, SP=""
System Restore: enabled
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete

Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardOperations with AVZPM (true=enable,false=disable)BootCleaner - import list of deleted filesBootCleaner - import allRegistry cleanup after deleting filesExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizardBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Performance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user accessSecurity: disable sending Remote Assistant queries--------------------------------------------------------------------------------
File list
JenzAgem
Active Member
 
Posts: 3
Joined: February 21st, 2012, 1:43 am

Re: ADOBE & GOOGLE instances - HELP BEFORE MARCH 11

Unread postby NonSuch » February 21st, 2012, 3:04 am

For your own sake as well as ours, please familiarize yourself with the forum rules:

viewtopic.php?p=491389#p491389

Helpers at this forum look for topics with ZERO REPLIES, any topic that does not have zero replies will be passed by.

If you reply to your topic or try to "bump" it, it will no longer have zero replies and you will not receive the help you are looking for.

Because of this, if we see that you have replied to your own topic, or tried to bump it, your topic will be closed and you will be asked to start a new one.

Accordingly, this topic will be closed and you will need to start a new topic. Please include everything in one post. If there is something you have forgotten, wait until you have received a response and then you can post the additional information.

This topic is now closed.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27305
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 68 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware