Got one hell of a nasty virus, HELP!

MBGraphics

MBGraphics

VIP Member
Alright, the last few weeks while on the internet I would get a window that would open at random, always taking me to some random site, so I knew I had something. But, since I have been working my tail off lately, I didn't have time to try to tackle it. Now, just a few days ago it got a million times worse. My internet randomly closed, along with every program running and a virus scan pops up and starts scanning, but I don't ever remember downloading this virus scanning program! It will scan and keep me from opening ANY programs, then it asks me to subscribe so I can get rid of all the viruses and crap it found. The program is called "Privacy Protection" and shows a shield with red at the top left corner, green at the top right, blue at the bottom left, and yellow at the bottom right.

What the heck can I do to fix this!? I'm fresh out of ideas and really need help as this is my main system that I have all of my stuff on. (and no, I'm not typing this on that computer, I'm using a laptop that my friend has been letting me use for months now :P).

I'm running on Windows 7, let me know if you need any other info to help me!

Thanks in advanced!
-Mike
 
This rogue malware is something that is installed without your notice. As usual, your first line of defense is Malwarebytes. This is a new rogue that came out earlier this month.

http://www.bleepingcomputer.com/virus-removal/remove-privacy-protection

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE

But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
 
Sorry for the super slow response, work has been consuming me and I haven't had the time to sit down and take a crack on my computer until today. I started attempting to do what you told me but my computer just wasn't having it. So I launched in Safe Mode and did a system restore back to the 8th of this month. So far so good, it's running fine and I'm running Spy Sweeper right now to try to get rid of any more crap on it.

Thank you so much for your write-up, I really appreciate it!

-Mike
 
Alright, here's the Malwarebytes log:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8235

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

11/24/2011 4:21:19 PM
mbam-log-2011-11-24 (16-21-19).txt

Scan type: Quick scan
Objects scanned: 195544
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{B15FD82E-85BC-430d-90CB-65DB1B030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{F0D4B230-DA4B-4daf-81E4-DFEE4931A4AA} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{F0D4B23A-DA4B-4DAF-81E4-DFEE4931A4AA} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AskSBar.ToolbarPlugin.1 (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AskSBar.ToolbarPlugin (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AskSBar Uninstall (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0D4B231-DA4B-4DAF-81E4-DFEE4931A4AA} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F0D4B231-DA4B-4DAF-81E4-DFEE4931A4AA} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0D4B231-DA4B-4DAF-81E4-DFEE4931A4AA} (Adware.AskSBAR) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa (Spyware.Passwords.XGen) -> Value: aaaaaaaa -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa (Spyware.Passwords.XGen) -> Value: aaaaaaaa -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\Windows\System32\aaaaaaaa.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
d:\Users\MBPhoto\aaaaaaaa.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
d:\program files (x86)\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
d:\program files (x86)\mozilla firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
d:\Windows\SysWOW64\aaaaaaaa.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
d:\Users\MBPhoto\AppData\Local\Temp\22FD.tmp (Rogue.PrivacyProtection) -> Quarantined and deleted successfully.
d:\Users\MBPhoto\AppData\Local\Temp\~!#126C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
d:\Users\MBPhoto\AppData\Local\Temp\~!#211C.tmp (Rogue.PrivacyProtection) -> Quarantined and deleted successfully.
d:\Users\MBPhoto\AppData\Local\Temp\~!#486.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
 
And here's the HijackThis log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:24:38 PM, on 11/24/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
D:\Program Files (x86)\AIM\aim.exe
D:\Program Files (x86)\Steam\Steam.exe
D:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
D:\Users\MBPhoto\AppData\Roaming\Dropbox\bin\Dropbox.exe
D:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
D:\Program Files (x86)\Western Digital\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
D:\Program Files (x86)\iTunes\iTunesHelper.exe
D:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\datamngrUI.exe
D:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
D:\Windows\SysWOW64\svchost.exe
D:\Windows\SysWOW64\svchost.exe
D:\Program Files (x86)\TeamViewer\Version6\TeamViewer.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
D:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - D:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - D:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - D:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: dTPodcastBHO - {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - D:\Program Files (x86)\Common Files\doubleTwist\IEPodcastPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - D:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\IEBHO.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - D:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
O2 - BHO: MediaBar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - D:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - D:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - D:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files (x86)\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O3 - Toolbar: MediaBar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - D:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DivXUpdate] "D:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NUSB3MON] "D:\Program Files (x86)\Western Digital\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DATAMNGR] D:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE
O4 - HKLM\..\Run: [SwitchBoard] D:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "D:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "D:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SpySweeper] D:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Aim] "D:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [Steam] "D:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [EPSON WorkForce 500 Series] D:\Windows\system32\spool\DRIVERS\x64\3\E_IATIEQA.EXE /FU "D:\Windows\TEMP\E_SED8A.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Google Update] "D:\Users\MBPhoto\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] D:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] D:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3305653734-3016882383-3526345195-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-3305653734-3016882383-3526345195-1003\..\RunOnce: [mctadmin] D:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: Dropbox.lnk = MBPhoto\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: UltraMon.lnk = ?
O4 - Global Startup: WDDMStatus.lnk = D:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://D:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - D:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - D:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: D:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\datamngr.dll D:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\IEBHO.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - D:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - D:\Windows\System32\lsass.exe (file missing)
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - D:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - D:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - D:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - D:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - D:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - D:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - D:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - D:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - D:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - D:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - D:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - D:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - D:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - D:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - D:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - D:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - D:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - D:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - D:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - D:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - D:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - D:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - D:\Windows\system32\wbengine.exe (file missing)
O23 - Service: WDDMService - WDC - D:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD File Management Engine (WDFME) - Unknown owner - D:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
O23 - Service: WD File Management Shadow Engine (WDSC) - Unknown owner - D:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - D:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - D:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - D:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 13416 bytes
 
P2P warning!!!

You have file sharing software installed on your system and most likely is the cause of your infections. You have utorrent and bearshare and I highly recommend to uninstall them to help safeguard you in the future. Keeping these programs installed is at your own risk.

I would also recommend to uninstall conduit engine as its helps malware get on your system.

Rerun hijackthis and place a check next to the following entries.

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files (x86)\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DivXUpdate] "D:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

Then click on fix checked.

How is your system running?
 
Awesome, thanks!

I got rid of bearshare, conduit and did those fixes.

My system seems to be running great, just as it was before the infection.

I really appreciate the help!

-Mike
 
Last edited:
You must log in or register to reply here.
Back
Top