Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Totaly undetectable malware... but it's there

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Totaly undetectable malware... but it's there

Unread postby Massimo » July 12th, 2011, 4:28 pm

My system is Windows 7 x64, SP1, all latest patches, with Internet Explorer 8; at the moment of the infection I had no antivirus running, but based on what I've seen later, I doubt any one of them would have been able to stop this.

Some days ago I was browsing some website, when something entered my system; IE crashed, and a fake system popup window appeared stating there had been some problem with my hard disk controller, so a system reboot was in order; I immediately spotted it as fake, because it was very unlike a real Windows popup, and it also was in English, while my OS generally speaks Italian. I didn't reboot and started looking around for malware.

Task manager refused to run (I later found the malware disabled it via policy), and soon after all icons disappeared from my Start menu and desktop. I used command-line tasklist.exe and taskkill.exe to kill a suspicious process, and found it was running attrib on all my files, and had already managed to hide almost everyting; I turned on the option for viewing hidden files and kept investigating, but all of a sudden the system rebooted on its own.

I started in safe mode, found the suspicious file and its Registry "Run" key, and deleted everything (the file had a random name and was in C:\ProgramData, or maybe %userprofile%\AppData, I don't remember which one exactly). I then ran attrib again to de-hide the hidden files, and moved back all the Start menu and desktop icons the malware had placed in %Temp%\smtmp; then I rebooted in full mode, and everything seemed clean.

But that was just the beginning.

There's still something in there, and no malware removal tool or antivirus seems to be able to find it. The computer is generally slower than before, Google searches sometimes get hijacked (when I click on a search result I am redirected to ad sites, but only sometimes), and I constantly have two iexplore.exe processes running in background with no visible window, respawning automatically if I kill them. I had a closer look at them with SysInternals' Process Explorer, and they are getting launched by svchost.exe, and are connecting to what seem to be fake search sites (see attached picture). But there are no ad popups or anything like that. The hosts file is clean, there is no proxy configured, and there are no unusual services, processes or IE add-ons.

I tried running: Windows Defender, Windows Security Essentials, Microsoft's Malware Removal Tool, PrevX, HijackThis, MalwareBytes, SpybotS&D, ComboFix, HitMan Pro, Trojan Remover, TDSKiller, and a couple more others (don't remember which ones but I'd recognize them if I see their names again). All of them found absolutely NOTHING, except for some cookies lying around, a complaint about Daemon Tools and a probably malicious Java applet, which could or could not have been the original infection vector; nothing was found actually running, anyway.

But something is there.

Can you help me before I move on to a full system drive format (with added MBR rewriting, just to be sure)?


Edit: Looks like it actually was a rootkit. I finally got rid of it by rewriting the MBR and boot sector of the system drive. I still don't know what the boot code was actually loading, and probably some executable is still lingering around... but at least it's inactive now.


Here are the logs from DDS:

==================== DDS.txt ====================
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Massimo at 21:42:42 on 2011-07-12
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.39.1040.18.4095.2389 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\V0270Mon.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local;<local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO: Guida per l'accesso a Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Supporti Registrazione test Web Microsoft 10.0: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: {1D03A978-AC0C-4004-B9FD-9CF361C7BD3F} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [V0270Mon.exe] C:\Windows\V0270Mon.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2 ... .2.5.7.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/ ... erCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://extranet.sace.it/dana-cached/sc ... Client.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwar ... /CTPID.cab
TCP: Interfaces\{B162F8AF-A1AA-420A-AD0F-CB1E23FC8FFE} : NameServer = 192.168.42.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
{0347C33E-8762-4905-BF09-768834316C61}
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{AE7CD045-E861-484f-8273-0445EE161910}
{B4F3A835-0E21-4959-BA22-42B3008E02FF}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{DDA57003-0068-4ed2-9D32-4D1EC707D94D}
{F4971EE7-DAA0-4053-9964-665D8EE6A077}
{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
TB-X64: {1D03A978-AC0C-4004-B9FD-9CF361C7BD3F} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun-x64: [V0270Mon.exe] C:\Windows\V0270Mon.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD}: Groove GFS Stub Execution Hook
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xx;mv61xx;C:\Windows\system32\DRIVERS\mv61xx.sys --> C:\Windows\system32\DRIVERS\mv61xx.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-4-29 13336]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-5-20 378472]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
R3 VF0270Dev;Live! Cam Optia;C:\Windows\system32\DRIVERS\V0270Dev.sys --> C:\Windows\system32\DRIVERS\V0270Dev.sys [?]
R3 VF0270Vfx;VF0270 Video FX;C:\Windows\system32\DRIVERS\V0270VFx.sys --> C:\Windows\system32\DRIVERS\V0270VFx.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 CSIScanner;CSIScanner;"C:\Program Files\Prevx\prevx.exe" /service --> C:\Program Files\Prevx\prevx.exe [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-4-29 79360]
S3 ftpsvc;Microsoft FTP Service;C:\Windows\system32\svchost.exe -k ftpsvc [2009-7-14 20992]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 51727736]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys --> C:\Windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys --> C:\Windows\system32\DRIVERS\motccgpfl.sys [?]
S3 MsDtsServer100;SQL Server Integration Services 10.0;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2011-4-24 210784]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2010-4-3 32096]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2011-4-24 2175328]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 u3kh64;ASUS My Cinema U3000 Hybrid;C:\Windows\system32\DRIVERS\u3kh64.sys --> C:\Windows\system32\DRIVERS\u3kh64.sys [?]
S3 u3khrc64;ASUS Infrared Receiver;C:\Windows\system32\DRIVERS\u3khrc64.sys --> C:\Windows\system32\DRIVERS\u3khrc64.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S3 WatAdminSvc;Servizio Windows Activation Technologies;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WMSVC;Servizio Gestione Web;C:\Windows\system32\inetsrv\wmsvc.exe --> C:\Windows\system32\inetsrv\wmsvc.exe [?]
S4 MSSQLServerADHelper100;Servizio SQL Server Active Directory Helper;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 59744]
S4 RsFx0150;RsFx0150 Driver;C:\Windows\system32\DRIVERS\RsFx0150.sys --> C:\Windows\system32\DRIVERS\RsFx0150.sys [?]
.
=============== Created Last 30 ================
.
2011-07-12 19:21:11 601424 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4A262B84-4F55-4557-BBE3-E85A3D0F7A8F}\gapaengine.dll
2011-07-12 19:21:07 8873296 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A98D5A9D-1BE7-411C-9957-C8F1C2B92A96}\mpengine.dll
2011-07-12 19:20:06 62976 ----a-w- C:\Windows\SysWow64\PxSecure.dll-3130097
2011-07-12 19:19:14 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-07-12 19:19:11 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-07-12 18:21:48 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-12 18:05:02 -------- d-----w- C:\Program Files (x86)\Trojan Remover
2011-07-12 17:59:56 23112 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-07-12 17:58:44 -------- d-----w- C:\ProgramData\Hitman Pro
2011-07-12 16:26:03 98816 ----a-w- C:\Windows\sed.exe
2011-07-12 16:26:03 518144 ----a-w- C:\Windows\SWREG.exe
2011-07-12 16:26:03 208896 ----a-w- C:\Windows\MBR.exe
2011-07-12 16:07:37 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-07-12 16:07:37 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-07-12 15:25:24 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A19A33A9-C7A7-4DC2-AF4D-02A991943379}\mpengine.dll
2011-07-11 18:54:02 -------- d-----w- E:\Massimo\AppData\Local\{25F8971C-A063-4EBE-995F-C69463919B1F}
2011-07-11 16:41:25 388096 ----a-r- E:\Massimo\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-11 16:41:25 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-07-11 15:33:57 -------- d-----w- E:\Massimo\AppData\Local\{1F0EA9ED-441C-4D81-A545-B6A92A8AC168}
2011-07-10 17:20:12 739432 ----a-w- C:\Windows\System32\easyupdatusapiu64.dll
2011-07-10 17:20:12 6300776 ----a-w- C:\Windows\System32\nvcpl.dll
2011-07-10 17:20:12 61544 ----a-w- C:\Windows\System32\nvshext.dll
2011-07-10 17:20:12 3040872 ----a-w- C:\Windows\System32\nvsvc64.dll
2011-07-10 17:20:12 2560616 ----a-w- C:\Windows\System32\nvsvcr.dll
2011-07-10 17:20:12 117864 ----a-w- C:\Windows\System32\nvmctray.dll
2011-07-10 17:20:12 1016936 ----a-w- C:\Windows\System32\nvvsvc.exe
2011-07-10 17:20:03 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2011-07-10 17:14:19 438808 ----a-w- C:\Windows\System32\drivers\iaStor.sys
2011-07-10 16:19:35 -------- d-----w- E:\Massimo\AppData\Roaming\Malwarebytes
2011-07-10 16:19:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-10 16:19:30 -------- d-----w- C:\ProgramData\Malwarebytes
2011-07-10 16:19:26 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-07-10 16:19:26 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-07-10 15:48:21 -------- d-----w- E:\Massimo\AppData\Local\{8D7CDE92-240D-4EEB-A99E-6B6ACCC7692B}
2011-07-10 15:45:14 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-06-29 16:07:30 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\a56361331cc367602\DSETUP.dll
2011-06-29 16:07:30 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\a56361331cc367602\DXSETUP.exe
2011-06-29 16:07:30 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\a56361331cc367602\dsetup32.dll
2011-06-27 19:47:59 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-06-21 19:31:25 -------- d-----w- E:\Massimo\AppData\Roaming\Spore
2011-06-21 19:24:35 -------- d-----w- E:\Massimo\AppData\Local\Origin
2011-06-21 19:24:26 -------- d-----w- C:\ProgramData\Origin
2011-06-21 19:24:26 -------- d-----w- C:\ProgramData\Electronic Arts
2011-06-21 19:24:26 -------- d-----w- C:\Program Files (x86)\Origin Games
2011-06-21 19:24:04 -------- d-----w- C:\Program Files (x86)\Origin
2011-06-15 05:08:59 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-06-15 05:08:59 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-06-15 05:08:59 3135488 ----a-w- C:\Windows\System32\win32k.sys
2011-06-15 05:08:58 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-06-15 05:08:58 759296 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 05:08:58 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-06-15 05:08:58 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-06-15 05:08:58 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 05:08:58 1110528 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
.
==================== Find3M ====================
.
2011-07-10 15:46:27 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-06-21 17:02:17 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-06 19:55:34 53656 ----a-w- C:\Windows\System32\AdobePDF.dll
2011-06-06 19:55:32 24984 ----a-w- C:\Windows\System32\AdobePDFUI.dll
2011-05-28 03:30:09 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-05-28 02:53:58 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2011-05-20 20:35:28 304744 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2011-05-04 05:25:03 2315776 ----a-w- C:\Windows\System32\tquery.dll
2011-05-04 05:22:25 778752 ----a-w- C:\Windows\System32\mssvp.dll
2011-05-04 05:22:25 2223616 ----a-w- C:\Windows\System32\mssrch.dll
2011-05-04 05:22:24 75264 ----a-w- C:\Windows\System32\msscntrs.dll
2011-05-04 05:22:24 491520 ----a-w- C:\Windows\System32\mssph.dll
2011-05-04 05:22:24 288256 ----a-w- C:\Windows\System32\mssphtb.dll
2011-05-04 05:19:28 591872 ----a-w- C:\Windows\System32\SearchIndexer.exe
2011-05-04 05:19:28 249856 ----a-w- C:\Windows\System32\SearchProtocolHost.exe
2011-05-04 05:19:28 113664 ----a-w- C:\Windows\System32\SearchFilterHost.exe
2011-05-04 04:34:43 1549312 ----a-w- C:\Windows\SysWow64\tquery.dll
2011-05-04 04:32:02 666624 ----a-w- C:\Windows\SysWow64\mssvp.dll
2011-05-04 04:32:01 337408 ----a-w- C:\Windows\SysWow64\mssph.dll
2011-05-04 04:32:01 197120 ----a-w- C:\Windows\SysWow64\mssphtb.dll
2011-05-04 04:32:01 1401344 ----a-w- C:\Windows\SysWow64\mssrch.dll
2011-05-04 04:32:00 59392 ----a-w- C:\Windows\SysWow64\msscntrs.dll
2011-05-04 04:28:31 86528 ----a-w- C:\Windows\SysWow64\SearchFilterHost.exe
2011-05-04 04:28:31 427520 ----a-w- C:\Windows\SysWow64\SearchIndexer.exe
2011-05-04 04:28:31 164352 ----a-w- C:\Windows\SysWow64\SearchProtocolHost.exe
2011-04-29 03:06:10 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-04-29 03:05:49 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-04-29 03:05:37 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-27 02:40:40 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-27 02:39:40 289280 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-27 02:39:37 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-04-23 23:20:24 2568544 ----a-w- C:\Windows\SysWow64\sqlncli10.dll
2011-04-23 22:37:20 2832736 ----a-w- C:\Windows\System32\sqlncli10.dll
2011-04-22 22:15:29 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2011-04-22 22:08:29 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-04-22 19:10:01 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-04-15 14:00:36 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
.
============= FINISH: 21:51:01,93 ===============

==================== Attach.txt ====================
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 29/04/2010 20:21:48
System Uptime: 12/07/2011 20:44:09 (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5Q
Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz | LGA 775 | 3003/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 394,331 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 329,638 GiB free.
E: is FIXED (NTFS) - 466 GiB total, 45,906 GiB free.
F: is CDROM ()
G: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
5600
5600_Help
5600Trb
Adobe Acrobat X Pro - Italiano, Español, Nederlands, Português
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Advanced Video FX Engine
AIO_CDB_ProductContext
AIO_CDB_Software
AIO_Scan
Apple Application Support
Apple Software Update
BitTorrent
BufferChm
Citrix XenApp Web Plugin
Copy
Creative Live! Cam Center
Creative Software AutoUpdate
Creative Sound Blaster Properties x64 Edition
Criteri di Microsoft SQL Server 2008 R2
Crystal Reports for Visual Studio
D3DX10
Destinations
DeviceDiscovery
Documentazione online di Microsoft SQL Server 2008 R2
Dotfuscator Software Services - Community Edition
Dotfuscator Software Services - Community Edition - ITA
Eets
eMule
Fax
Framework applic. livello dati di Microsoft SQL Server 2008 R2
GPBaseService2
HiJackThis
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)
Hotfix per Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
HP Update
HPPhotoGadget
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSSupply
Intel(R) Rapid Storage Technology
IsoBuster 2.7
Java Auto Updater
Java(TM) 6 Update 26
Juniper Networks Network Connect 6.4.0
Juniper Networks Network Connect 7.0.0
Juniper Networks Setup Client
Junk Mail filter update
Language Pack di Microsoft Visual F# 2.0 Runtime - ITA
Malwarebytes' Anti-Malware versione 1.51.0.1200
MarketResearch
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - ITA
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools - ITA
Microsoft Document Explorer 2008
Microsoft Document Explorer 2008 Language Pack - ITA
Microsoft Office 2003 Web Components
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Report Viewer Redistributable 2008 SP1
Microsoft Report Viewer Redistributable 2008 SP1 Language Pack - ITA
Microsoft Silverlight
Microsoft Silverlight 3 SDK - Italiano
Microsoft Silverlight 4 SDK - Italiano
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server Browser
Microsoft SQL Server Compact 3.5 SP2 ITA
Microsoft SQL Server Compact 3.5 SP2 Query Tools ITA
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Sync Framework SDK v1.0 SP1 it
Microsoft Visual C++ Compilers 2010 Standard - enu - x86
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219
Microsoft Visual F# 2.0 Runtime
Microsoft Visual Studio 2008 Shell (integrated mode) - ITA
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio 2010 Ultimate - ITA
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Studio Tools for Applications 2.0 Language Pack - ITA
Monkey Island 2: Special Edition
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA 3D Vision Controller Driver
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
Origin
Pannello di controllo audio Creative
Piante contro zombi
Progetto applicazione livello dati Microsoft SQL Server 2008 R2
PuTTY version 0.60
QuickTime
Scan
Security Update for Microsoft .NET Framework 4 Client Profile - Language Pack (ITA) (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Servizio linguaggio Transact-SQL Microsoft SQL Server 2008 R2
SmartWebPrinting
SolutionCenter
Spore
StarCraft
StarCraft II
Status
Steam
The Secret of Monkey Island: Special Edition
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
VC Runtimes MSI
Visual C++ 2008 IA64 Runtime - (v9.0.30729)
Visual C++ 2008 IA64 Runtime - v9.0.30729.01
Visual C++ 2008 x64 Runtime - (v9.0.30729)
Visual C++ 2008 x64 Runtime - (v9.0.30729.4148)
Visual C++ 2008 x64 Runtime - v9.0.30729.01
Visual C++ 2008 x64 Runtime - v9.0.30729.4148
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - (v9.0.30729.4148)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 2008 x86 Runtime - v9.0.30729.4148
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ITA
WCF RIA Services V1.0 SP1
WebReg
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinImage
WinZip 14.5
.
==== End Of File ===========================
You do not have the required permissions to view the files attached to this post.
Massimo
Active Member
 
Posts: 2
Joined: July 12th, 2011, 3:45 pm
Advertisement
Register to Remove

Re: Totaly undetectable malware... but it's there

Unread postby deltalima » July 15th, 2011, 2:43 pm

Hi Massimo,

Please let me know if the computer is used for home or for business use.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Totaly undetectable malware... but it's there

Unread postby Massimo » July 15th, 2011, 11:29 pm

deltalima wrote:Hi Massimo,
Please let me know if the computer is used for home or for business use.


It's my home computer.
Massimo
Active Member
 
Posts: 2
Joined: July 12th, 2011, 3:45 pm

Re: Totaly undetectable malware... but it's there

Unread postby deltalima » July 16th, 2011, 9:49 am

Hi Massimo,

It's my home computer.


Please let me know what the following programs are used for.

Citrix
Juniper Networks
Microsoft Silverlight 4 SDK
Microsoft SQL Server Database Publishing Wizard
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio 2010 Ultimate - ITA


Please also let me know the connection to the company sace.it.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Totaly undetectable malware... but it's there

Unread postby deltalima » July 19th, 2011, 1:00 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware