Jump to content


Photo

trojan Ransom and Zbot -can i ever trust my computer again?


  • This topic is locked This topic is locked
11 replies to this topic

#1 spyz1

spyz1

    Member

  • Full Member
  • Pip
  • 98 posts

Posted 02 November 2012 - 02:53 AM

I stupidly opened an email which was cleverly disguised as one of mine that had been sent out. I saw the dreaded flash of a warning from my AV - but all too late. I think the above Malware and possibly others got through maybe before during browsing despite Avast Free AV and Online Armor Firewall.

I then did a MWB scan and it showed up the above trojans and they now sit in quarantine. I also did a full scan using Avast and this threw up some more unidentified threats but is unable to remove them. It shows the message 'error the system cannot find the files specified' and will not remove them. I do not know if they are related to the above threats Ransom and Zbot.

My main worry is to have a clean set up and be sure that any financial information or passwords will not be in danger now or in the future. Will my computer be ever free once this type of attack happens or will I never be really sure no matter how much I clean it?

I supply the logs as requested below. I have the attach txt. data if you want. Sorry for any errors as I am a relative newcomer (as you can see):

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.01.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
wfc :: WFC-TOSH [administrator]

01/11/2012 17:51:50
mbam-log-2012-11-01 (17-51-50).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 410866
Time elapsed: 1 hour(s), 5 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\wfc\Desktop\random from old computer\Desktop\bills software\KeepOnTop.exe (Trojan.Ransom.ANC) -> Quarantined and deleted successfully.
C:\Windows\System32\InstallShield\_isdel.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Windows\winsxs\wow64_microsoft-windows-i..llshield-wow64-main_31bf3856ad364e35_6.1.7600.16385_none_ca61f601a4548b8e\_isdel.exe (Trojan.Zbot) -



DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
Run by wfc at 5:25:32 on 2012-11-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4008.1490 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Online Armor Firewall *Disabled* {32E71E58-6AAE-2557-2ABD-EA739069CE41}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\PROGRAM FILES (X86)\TRUSTEER\RAPPORT\BIN\RAPPORTMGMTSERVICE.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Online Armor\OAcat.exe
C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\AVASTSVC.EXE
C:\Windows\System32\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\PROGRAM FILES (X86)\TRUSTEER\RAPPORT\BIN\RAPPORTSERVICE.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\PROGRAM FILES\TOSHIBA\REELTIME\TOSREELTIMEMONITOR.EXE
C:\WINDOWS\SYSTEM32\SEARCHINDEXER.EXE
C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\PROGRAM FILES (X86)\TOSHIBA\CONFIGFREE\NDSTRAY.EXE
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxext.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\AVASTUI.EXE
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRAM FILES (X86)\BBC IPLAYER DESKTOP\BBC IPLAYER DESKTOP.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\PROGRAM FILES (X86)\TOSHIBA\CONFIGFREE\CFIWMXSVCS64.EXE
C:\PROGRAM FILES (X86)\TOSHIBA\CONFIGFREE\CFSVCS.EXE
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\PROGRAM FILES\TOSHIBA\TOSHIBA HDD SSD ALERT\TOSSMARTSRV.EXE
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\PROGRAM FILES (X86)\MALWAREBYTES' ANTI-MALWARE\MBAM.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\cvh.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.co.uk/
uDefault_Page_URL = hxxp://toshiba.msn.com
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun: [NBAgent] "c:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
mRun: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRun: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STARTUP
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: C:\Users\wfc\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\BBCIPL~1.LNK - C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
StartupFolder: C:\Users\wfc\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EPROMP~1.LNK - C:\Program Files (x86)\ePrompter\ePrompter.exe
StartupFolder: C:\Users\wfc\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\Users\wfc\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TRDCRE~1.LNK - C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to TOSHIBA Bulletin Board - C:\Program Files\TOSHIBA\BulletinBoard\TosBBCom.dll/1000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {97F922BD-8563-4184-87EE-8C4ACA438823} - {5D29E593-73A5-400A-B3BD-6B7A1AF05A31} - <orphaned>
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 212.23.6.100 212.23.3.100
TCP: Interfaces\{C0F4A716-17DB-4694-98C0-C2E84EBB9DBF} : DHCPNameServer = 212.23.6.100 212.23.3.100
TCP: Interfaces\{C0F4A716-17DB-4694-98C0-C2E84EBB9DBF}\6796277696E6022627F616462616E646 : DHCPNameServer = 192.168.0.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg pku2u livessp
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -
x64-TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [Toshiba TEMPRO] C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [Toshiba Registration] C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe
x64-Run: [@OnlineArmor GUI] "C:\Program Files (x86)\Online Armor\oaui.exe"
x64-Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-Run: [SpywareTerminatorShield] C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.exe
x64-Run: [SpywareTerminatorUpdater] C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-IE: {97F922BD-8563-4184-87EE-8C4ACA438823} - {5D29E593-73A5-400A-B3BD-6B7A1AF05A31} - <orphaned>
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\wfc\AppData\Roaming\Mozilla\Firefox\Profiles\uzav5jlp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-10-20 52760]
R0 RapportKE64;RapportKE64;C:\Windows\System32\drivers\RapportKE64.sys [2012-1-7 236216]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2009-6-24 482384]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2012-1-8 984144]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2012-1-8 370288]
R1 OADevice;OADriver;C:\Windows\SysWOW64\drivers\OADriver.sys [2012-1-8 59176]
R1 oahlpXX;Online Armor helper driver;C:\Windows\SysWOW64\drivers\oahlp64.sys [2012-1-8 56648]
R1 OAmon;OAmon;C:\Windows\SysWOW64\drivers\OAmon.sys [2012-1-8 38064]
R1 RapportCerberus_44365;RapportCerberus_44365;C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_44365.sys [2012-11-1 508024]
R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2012-10-29 224024]
R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2012-10-29 405336]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-14 59904]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2012-1-8 25232]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2012-1-8 71600]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-1 44808]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 GFNEXSrv;GFNEX Service;C:\Windows\System32\GFNEXSrv.exe [2011-7-20 162824]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-1-14 572712]
R2 OAcat;Online Armor Helper Service;C:\Program Files (x86)\Online Armor\oacat.exe [2012-1-8 207936]
R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2012-10-29 1115992]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-8-13 3064000]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-20 2656280]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2011-7-20 56344]
R3 OAnet;OnlineArmor Service;C:\Windows\System32\drivers\OAnet.sys [2012-1-8 32920]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 PGEffect;Pangu effect driver;C:\Windows\System32\drivers\PGEffect.sys [2011-7-20 38096]
R3 RapportIaso;RapportIaso;C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso64.sys [2012-11-1 175352]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-5-4 413800]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\drivers\rtl8192ce.sys [2011-7-20 1103464]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2009-12-2 721768]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2009-12-2 269672]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2009-12-2 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2009-12-2 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-7-20 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-14 17920]
RUnknown SASKUTIL;SASKUTIL; [x]
RUnknown sp_rsdrv2;sp_rsdrv2; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc --> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-1-31 158856]
S2 SvcOnlineArmor;Online Armor;C:\Program Files (x86)\Online Armor\oasrv.exe [2012-1-8 4363040]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-23 115168]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-7-20 250984]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2012-10-20 13184]
S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-2-10 112080]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-8 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-11-02 02:27:22 51496 ----a-w- C:\Windows\System32\drivers\stflt.sys
2012-11-02 02:25:37 -------- d-----w- C:\ProgramData\SUPERSetup
2012-11-01 23:35:20 -------- d-----w- C:\Users\wfc\AppData\Roaming\SUPERAntiSpyware.com
2012-10-21 00:17:36 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3466C0A3-A30A-4E48-9DA0-0CCFF3ED3918}\offreg.dll
2012-10-20 23:34:59 1264272 ----a-w- C:\Windows\System32\RTCOM64.dll
2012-10-20 23:07:05 13184 ----a-w- C:\Windows\System32\drivers\SWDUMon.sys
2012-10-20 23:07:04 -------- d-----w- C:\Users\wfc\AppData\Local\SlimWare Utilities Inc
2012-10-20 23:06:57 -------- d-----w- C:\Program Files (x86)\DriverUpdate
2012-10-20 21:35:39 -------- d-----w- C:\Program Files (x86)\Lame For Audacity
2012-10-20 19:25:07 -------- d-----w- C:\ProgramData\SonicStage
2012-10-20 18:59:28 -------- d-----w- C:\ProgramData\Sony Corporation
2012-10-20 18:58:59 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2012-10-20 18:58:59 266240 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2012-10-20 18:58:59 172032 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2012-10-20 18:58:58 733184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2012-10-20 18:58:58 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2012-10-20 18:58:58 303236 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
2012-10-20 18:58:58 180356 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
2012-10-20 18:58:14 -------- d-----w- C:\Program Files (x86)\Sony
2012-10-20 18:58:10 -------- d-----w- C:\Windows\SysWow64\Iosubsys
2012-10-20 18:57:03 -------- d-----w- C:\Program Files (x86)\Common Files\Sony Shared
2012-10-20 18:55:44 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-10-20 18:55:43 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2012-10-20 18:55:43 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2012-10-20 18:55:43 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2012-10-20 18:55:42 610436 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2012-10-19 16:37:49 -------- d-----w- C:\Users\wfc\AppData\Roaming\DVDVideoSoft
.
==================== Find3M ====================
.
2012-10-30 22:51:55 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2012-10-30 22:51:55 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2012-10-30 22:51:07 41224 ----a-w- C:\Windows\avastSS.scr
2012-10-29 22:00:52 236216 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys
2012-10-15 16:59:28 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2012-09-29 19:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 5:25:58.10 ===============





Results of screen317's Security Check version 0.99.54
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 4.5
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 22
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.3.300.265 Flash Player out of Date!
Adobe Reader X 10.1.2 Adobe Reader out of Date!
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbam.exe
Tall Emu Online Armor OAcat.exe
AVAST SOFTWARE AVAST AVASTSVC.EXE
AVAST SOFTWARE AVAST AVASTUI.EXE
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

#2 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 6,995 posts

Posted 02 November 2012 - 07:15 AM

Hello spyz1. Welcome to SWI.

I'm afraid I have bad news.

Your log shows an information stealing trojan is residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer.

I would suggest you disconnect this computer from the Internet immediately you finish reading this.
If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted.
Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Instructions how to format and reinstall Windows can be found here

Should you decide not to follow that advice, please proceed with the following instructions...

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.
Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here or here to see a list of programs that should be disabled.

Note: **Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Note: **If you get a message saying "Illegal operation attempted on a Registry Key that has been marked for deletion", please restart your computer.**


Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your Desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Please include the C:\ComboFix.txt, ADWCleaner log, TDSSKiller log in your next reply for further review.
Let me know how the computer is performing now.


Rocket Grannie
a43.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#3 spyz1

spyz1

    Member

  • Full Member
  • Pip
  • 98 posts

Posted 02 November 2012 - 09:37 PM

Thanks Rocket Grannie

I feared as much after having read a little around this type of infection. I have disconnected that computer and am using a different 'clean' machine.

I will take your advice and do a complete reinstall of the Operating System.

I tried your link on reinstalling but unfortunately it looks to be defunct. Also I have the silly Window7 pre -installed version (no cd rom supplied)so any help with that would be appreciated. Item is a Toshiba Satellite C670 14N

Also appreciated is the comprehensive advice on informing banks etc and this has been undertaken just in case.

Finally,

Will my computer definitely be free of infection if an install is done properly?

In your estimation did this Trojan arrive via browsing or the false link within the email? (may help in future to know this).

I can let you know result after reinstall should it be useful.

Many thanks to you guys for quick response

Spyz

#4 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 6,995 posts

Posted 03 November 2012 - 12:53 AM

Hello spyz1.

I tried your link on reinstalling but unfortunately it looks to be defunct

I'm sorry about that. Please try here or here

Will my computer definitely be free of infection if an install is done properly?

Well we can never be 100% sure but the odds are very close to absolute after a format.

In your estimation did this Trojan arrive via browsing or the false link within the email? (may help in future to know this).

In your case I would say through the e-mail. However you are at risk of being infected every time you access the Internet. The safest was to surf the Internet is to keep good security programs on the computer and to keep them updated. Your Adobe, Java and Flash were all out of date. This makes you vulnerable.

I can let you know result after reinstall should it be useful.

Thank you. However, that is not necessary.

Many thanks to you guys for quick response

You are welcome.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections.
Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.
As happy as we at SWI are to help you, for your sake we would rather not have repeat customers.

Note: All of the programs I am suggesting are either free or have free versions.

It is very dangerous to go online in today's digital world without antivirus protection. Without an antivirus, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

Avast.
AntiVir
Microsoft Security Essentials

Please make sure to run your antivirus software regularly, and to keep it up-to-date. Most programs have an automatic update feature.

Keep MalwareBytes Anti-Malware updated and run it regularly.

Use a Firewall

Windows 7 firewall is adequate.
However, some good free firewalls are:
Be sure to only install one.
A tutorial on understanding and using firewalls may be found here

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here

Please make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware from being installed.
Please set your anti-virus and anti-spyware programs to check for updates automatically. If the programs are not able to update automatically, then I suggest you manually check for updates every few days.

Windows needs to be kept up-to-date.

Windows Updates are available from here

IMPORTANT: Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Chrome is another good option.

If you are interested, Firefox may be downloaded from here
Chrome is available here

PLEASE NOTE:

A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems!

Safe Surfing:

Rocket Grannie.
a43.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#5 spyz1

spyz1

    Member

  • Full Member
  • Pip
  • 98 posts

Posted 03 November 2012 - 08:41 PM

Thanks again Rocket Grannie

On the matter of the re-install

On the Toshba model I have, it is done from a 'harddisk recovery system' - in other words I create a bootable disk direct from my current harddrive. I have not done this yet. Not had the computer long.

My question is should I dare do this now given the system could be infected anywhere? Surely this could re-infect on booting up in original factory state (plus possible trojan?) or do i not understand this properly (very possible).

Otherwise I would have to purchase a clean copy of W7 or other OS.

Your view would be welcome.

#6 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 6,995 posts

Posted 03 November 2012 - 09:18 PM

Hello spuz1

It is okay to go ahead and make the recovery disk. It should be clean. The section of the hard drive that you will be accessing is separate to the section that contains the operating system. IE the section that is infected.
However, if you have access to another computer, I suggest you create your recovery disk, then scan it with MBAM or a similar security program on the clean computer.
Warning: Do not open the disk on the clean computer until after it has been scanned---just in case it is infected. You can load and scan it without accessing it.

I hope this helps.


Rocket Grannie
a43.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#7 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 6,995 posts

Posted 12 November 2012 - 08:14 PM

Since the issue appears to be resolved this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.

Edited by cnm, 16 November 2012 - 11:40 AM.

a43.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,253 posts

Posted 16 November 2012 - 11:40 AM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#9 spyz1

spyz1

    Member

  • Full Member
  • Pip
  • 98 posts

Posted 16 November 2012 - 12:41 PM

Thank you for your last reply and I will reinstall as per your instructions.

Before carrying out the reinstall would it be possible to remove (potentially infected) files containing photos, text and music onto a free standing hard drive.

Then, scan these files one by one also (as you suggested for the reinstall cd rom) before putting them back onto the cleaned computer?

Your advice would be welcome.

#10 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 6,995 posts

Posted 16 November 2012 - 08:06 PM

Hello spyz1

How to safely backup an infected drive.
Please see here


Rocket Grannie
a43.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#11 spyz1

spyz1

    Member

  • Full Member
  • Pip
  • 98 posts

Posted 17 November 2012 - 09:01 AM

Thank you Rocket Grannie

I will read the information carefully.

Your advice has been really helpful.

Spyz

#12 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 6,995 posts

Posted 20 November 2012 - 09:28 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
a43.gif
 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button