[Resolved] Redirected Searches, Delays in typing, System Slowed

[Bear]

Hi Adam

One of those files is definitely bad and we will delete it.  We will check on a couple of others.

1.   Double click on the OTL icon to run it (Vista and Windows 7 users right click and select Run as  Administrator). Make sure all other windows are closed and to let it run uninterrupted. 

2.  In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".  On the upper right be sure Use Company-Name WhiteList and Skip Microsoft Files are checked.  Copy the code in the code box below and paste it into the Custom Scan box .

Code: [Select]

:OTL

:FILES
C:\Windows\system32\Drivers\utqxmtyx.sys

:Commands
 [REBOOT]



3.  Click on the Run Fix button.  The fix log is saved on your C: drive under OTL\Moved Files as date-some number.log.  Reboot you PC.

4.  Please right click on the start menu and choose Open Windows Explorer.   Go to tools/folder options/view and click on Show Hidden Files .  Then uncheck Hide Protected Operating System Files and click OK.

Next go to JOTTI and click on Browse.  Then scroll down until you see Local Disk (C:) in the left pane and left click on it.  Click on Windows in the right pane and then click on system32 and scroll down to drivers and scroll down to a iPodDrv.sys and click on it.  Next click submit file and record the "status."

Repeat this procedure for C:\Windows\system32\DRIVERS\smb.sys and c:\windows\system32\drivers\TrueSight.sys .

5.  Now go to Virus Total, again click Browse and find the same files (Three).  Click Send File and click on View Last Report if it exists, else click on Analyse.   Record "Result"




As always please check to be sure Word Wrap is NOT turned on in any Notepad files you post and please be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
OTL Fix Log
Jotti "status"
Virus Total "Result"
Let me know how your computer and browser are operating
If you have any questions or problems, let me know that as well

[adammedonca]

========== OTL ==========
========== FILES ==========
C:\Windows\system32\Drivers\utqxmtyx.sys moved successfully.
========== COMMANDS ==========
 
OTL by OldTimer - Version 3.2.31.0 log created on 12302011_205411


smb.sys :     
Scan finished. 9 out of 20 scanners reported malware.

TrueSight.sys:
   
Scan finished. 0 out of 20 scanners reported malware.

iPodDrv.sys:
Scan finished. 0 out of 20 scanners reported malware.


Virus total:

iPodDrv.sys:
0 /43 (0.0%)

TrueSight.sys:
1 /41 (2.4%)

smb.sys:
19/ 43 (44.2%)

[Bear]

Hi Adam

Let's take a closer look at smb.sys.

1.  Please download FileFind and save it to your desktop.

2.  Unzip the file and save it to your desktop.

3.  Double click on FileFind.exe

4.  Be sure the Directory input box is set to:  C:\

3.  Copy and paste the code in the code box below into the input box labeled File.

Code: [Select]


smb.sys

 
4.  Now click Search.  This could take some time.  Ignore error message "not responding".

5.  Once the utility finished,  click on Export. 

6.  Save the file Export.txt to your desktop.

As always check to be sure Word Wrap is NOT turned on in any Notepad files you post and be sure to check that all the data you entered was posted.  If not, use multiple posts.

Now please post the following to me as a reply to this post:
Export.txt
If you have any questions or problems, let me know that as well

[adammedonca]

when i click on export, i get a run time error. it says something about path/file access...

[Bear]

Hi Adam

Try running as adminstrator.  If that doesn't work we'll try a different program.

[adammedonca]

C:\Windows\System32\drivers\smb.sys - 66560 Bytes
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys - 66560 Bytes
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6002.18005_none_61560a3ff5180c84\smb.sys - 66560 Bytes

[Bear]

Hi Adam

A bit puzzling.  The file you tested with VT and Jotti is infected, but the other two versions of it on your PC are exactly the same size.  Difficult to infect a file and have it stay the same size.  They may all be infected.  Can you please test the following file in VT and Jotti and paste the results:


C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys

If this one also comes back infected, let me know if you have a Windows Vista installation disk.

[adammedonca]

I cant find the folder winsxs

[Bear]

Hi Adam

Did you do this:

Please right click on the start menu and choose Open Windows Explorer.   Go to tools/folder options/view and click on Show Hidden Files .  Then uncheck Hide Protected Operating System Files and click OK.


Once you have done that then:

scroll down until you see Local Disk (C:) in the left pane and left click on it.  Click on Windows in the right pane and then click on winsxs and scroll down to x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138, click on it and scroll down to smb.sys and click on it.

[adammedonca]

virus total:  0/ 42 (0.0%)4

jotti:    
Scan finished. 0 out of 20 scanners reported malware.

[Bear]

Hi Adam

That's great, it makes our lives much easier.

1.  Disable all of your Anti-Virus, Anti-Spyware programs again.

2.  Open Notepad, click on Format and be sure Word Wrap is NOT checked.  Then copy the text in the code box below and paste it into the Notepad window.  Now name this file CFScript.txt and save it to your Desktop.

Code: [Select]


KILLALL::

File::

Folder::

Registry::

Driver::

Firefox::

dirlook::


FCopy::
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys | C:\Windows\system32\DRIVERS\smb.sys

DDS::


3. Close all open browsers.



4. Referring to the picture above, drag CFScript.txt onto the ComboFix.exe icon.  ComboFix will run and produce a report.  This report will be saved at C:\ComboFix.txt.

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.  Reboot your computer.

5.  Please run Malwarebytes' Anti-malware again.

6  On the Scanner tab:
•   Make sure the "Perform Full Scan" option is selected.
•   Then click on the Scan button.
•   If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
•   The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
•   When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
•   Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:
•   Click on the Show Results button to see a list of any malware that was found.
•   Make sure that everything is checked, and click Remove Selected.  If asked to reboot do so.
•   When removal is completed, a log report will open in Notepad.
•   The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
•   Create another Notepad file on your desktop named MBAM.txt.  Copy and paste the contents of the MBAM log into the Notepad file.  Be sure you paste the complete log to include the top portion which shows MBAM's database version and your operating system.  Click save.
•   Exit MBAM when done.

7.  Run ESET scanner again.

8.  Be sure that ONLY the following items are checked:
   Remove found threats
   Scan for potentially unwanted applications
   Enable Anti-Stealth technology

Click Start.

It may take some time for the virus definitions to download and the scan to finish.  Do not click on the interface, download or install anything until the scan completes.  When the scan completes click Finish.

9.  Navigate to the following file path, C:\Program Files\ESET\ESET Online Scanner and Double-click on the log file.  Click File/Save As and name the file ESETLog.txt and save it to your desktop.



Remember to be sure Word Wrap is NOT turned on in any Notepad files you post and to be sure and check that all the data you entered was posted. 

Now please post the following to me as a reply to this post:
ComboFix.txt
MBAM.txt
ESETLog.txt
Let me know how your computer and browser are operating
If you have any other questions or problems, let me know that as well

[adammedonca]

ComboFix 12-01-05.04 - Adam 01/05/2012  19:17:22.6.1 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.2813.1938 [GMT -6:00]
Running from: c:\users\Adam\Desktop\ComboFix2.exe
Command switches used :: c:\users\Adam\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Adam\Desktop\Internet Explorer.lnk
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys --> c:\windows\system32\DRIVERS\smb.sys
.
(((((((((((((((((((((((((   Files Created from 2011-12-06 to 2012-01-06  )))))))))))))))))))))))))))))))
.
.
2012-01-06 01:24 . 2012-01-06 01:29   --------   d-----w-   c:\users\Adam\AppData\Local\temp
2012-01-06 01:24 . 2012-01-06 01:24   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-12-30 01:28 . 2011-12-30 01:33   --------   d-----w-   c:\users\Adam\AppData\Roaming\ImgBurn
2011-12-30 01:27 . 2011-12-30 01:27   --------   d-----w-   c:\program files\ImgBurn
2011-12-28 06:55 . 2011-12-28 06:55   10240   ----a-w-   c:\windows\system32\drivers\ujqxmtyx.sys
2011-12-27 08:28 . 2011-12-28 00:41   111872   ----a-w-   c:\windows\system32\drivers\TrueSight.sys
2011-12-24 08:54 . 2011-12-25 00:21   --------   d-----w-   C:\ComboFix
2011-12-24 06:21 . 2011-12-24 06:22   --------   d-----w-   c:\users\Adam\AppData\Roaming\Qeen
2011-12-24 06:21 . 2011-12-24 06:21   --------   d-----w-   c:\users\Adam\AppData\Roaming\Bux
2011-12-24 02:46 . 2011-11-21 10:47   6823496   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{38694C1F-7DA6-442D-B4BD-0CE03300DB04}\mpengine.dll
2011-12-24 02:32 . 2011-12-24 02:32   --------   d-----w-   C:\_OTL
2011-12-22 05:35 . 2011-12-22 05:35   --------   d-----w-   c:\program files\ESET
2011-12-18 08:59 . 2011-12-19 07:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-12-18 08:44 . 2011-12-19 05:31   --------   d-----w-   c:\users\Adam\Tracing
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-04 01:15 . 2011-06-15 14:00   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-15 20:29 . 2009-10-05 15:13   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-11-25 00:02 . 2011-11-05 23:14   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-03-18 13:11   2471240   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-13 6711840]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-02-06 686624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-09 1418536]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2009-01-17 862728]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59   937920   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02   37296   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2011-03-14 19:12   2071904   ----a-w-   c:\progra~1\AVG\AVG9\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-03-22 01:30   1191936   ----a-w-   c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-08 03:28   136176   ----atw-   c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-11-13 06:24   421736   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36   2793304   ----a-w-   c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 19:19   69632   ----a-w-   c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-05-27 02:50   15147400   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-09-30 06:14   155648   ----a-r-   c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 05:32   61440   ----a-w-   c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44   248552   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-02 23:13]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-02 23:13]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1000265405-3506121479-2019536667-1000Core.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-08 03:28]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1000265405-3506121479-2019536667-1000UA.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-08 03:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=2&o=vb32&d=0509&m=e625
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\jjlrltwk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-05 19:28
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5372)
c:\program files\eMachines\eMachines Power Management\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\mcafee\SITEAD~1\mcsacore.exe
c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\wbem\unsecapp.exe
c:\users\Adam\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2012-01-05  19:37:41 - machine was rebooted
ComboFix-quarantined-files.txt  2012-01-06 01:37
ComboFix2.txt  2011-12-26 09:08
ComboFix3.txt  2011-12-26 00:41
ComboFix4.txt  2011-12-25 01:29
ComboFix5.txt  2012-01-06 01:13
.
Pre-Run: 113,252,159,488 bytes free
Post-Run: 113,276,870,656 bytes free
.
- - End Of File - - 8C1B6CD3AE3A58CB16E763E84FDEEE6C

[adammedonca]

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.06.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19154
Adam :: ADAM-LAPTOP [administrator]

1/5/2012 7:41:21 PM
mbam-log-2012-01-05 (19-41-21).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 319141
Time elapsed: 2 hour(s), 23 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Qoobox\Quarantine\C\ProgramData\WSTB\verosupd.exe.vir (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Adam\AppData\Local\hti.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Adam\AppData\Local\lfu.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Adam\AppData\Local\rwa.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Adam\AppData\Local\uxw.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Users\Adam\AppData\Local\wrk.exe.vir (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Adam\AppData\Roaming\Bux\ulfusa.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Adam\Desktop\RK_Quarantine\ulfusa.exe.vir (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\Users\Adam\Documents\1khRP.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Adam\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)

[adammedonca]

I dont know if this is the right eset log or if it is an old one


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=cf5c08fe584fd54c9ac55285a6cab8e5
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-22 08:39:58
# local_time=2011-12-22 02:39:58 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 63926025 63926025 0 0
# compatibility_mode=5892 16776573 100 100 0 161140329 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=66629
# found=10
# cleaned=10
# scan_time=10442
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-26af3eba   probably a variant of Java/Exploit.CVE-2010-4452.A trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\399851cf-2705469f   probably a variant of Win32/Agent.FQRCZBA trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\38566918-3c8eac4c   a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\20db519d-531aa7a9   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\61a815d-2ed1cc87   probably a variant of Java/Agent.BR trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\3ce71243-3a325278   Java/Exploit.CVE-2011-3544.D trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\556445eb-66fa5940   probably a variant of Win32/Agent.DYXWUMY trojan (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\5473416c-73eb0d36   multiple threats (deleted - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\73190831-11e9f313   a variant of Java/Exploit.CVE-2010-4452.A trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\729a4e73-6e6e9e93   a variant of Java/TrojanDownloader.OpenStream.NBG trojan (deleted - quarantined)   00000000000000000000000000000000   C
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=cf5c08fe584fd54c9ac55285a6cab8e5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-24 08:23:23
# local_time=2011-12-24 02:23:23 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 64103109 64103109 0 0
# compatibility_mode=5892 16776574 66 100 0 161317413 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=158781
# found=7
# cleaned=7
# scan_time=5162
C:\ProgramData\graffast.exe   a variant of Win32/Kryptik.XVI trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\Local\dplaysvr.exe   a variant of Win32/Kryptik.XVI trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\Local\dplayx.dll   a variant of Win32/Kryptik.XVI trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\Local\temp\enrollmsi.exe   a variant of Win32/Kryptik.XVI trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\Local\temp\jyhgje.exe   a variant of Win32/Kryptik.XVI trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\Local\temp\ywerrtyerw.exe   a variant of Win32/Kryptik.XVI trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
C:\Users\Adam\AppData\Roaming\machst.exe   a variant of Win32/Kryptik.XVI trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C

[Bear]

Hi Adam

That is an old log.  See if you can find the new one.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=cf5c08fe584fd54c9ac55285a6cab8e5
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-22 08:39:58
# local_time=2011-12-22 02:39:58 (-0600, Central Standard Time)