PDA

View Full Version : Hidden Malware Survived 2 Factory Resets. Please Help!



Jula9600
2011-08-19, 09:56
I have some kind of untraceable hidden virus. I need someone who really knows how to find it. Please help! I believe it's been present since at least 6/2010 and this un-named infection has persisted through 2 factory restores, and it's just getting worse. I don't know where to go for help. I recently received help from Bleepingcomputer.com MRT but they said my pc is clean. So I decided to address the issues thinking in terms of corrupt system files, etc., and discovered my posts on forums from over the last year that I had forgotten about...now I know that it's been on my computer all along! And since BC helped me, it's getting even worse every day. SOME of My current issues...

I can't do a "clean" reinstall of ANYTHING!

I have uninstalled Firefox using Revo Uninstaller multiple times...and of course choosing to remove my passwords, bookmarks, and personal data...reinstall and EVERYTHING is intact. (I had completely forgotten that IE had remembered all of this after my destructive reset back in February until now.)

Uninstalled ESET NOD32 and ran the cleanup tool, reinstalled it and all of my settings and my ESET License(username/password) are all remembered.

Same with SAS. My BC posts show similar issues with many other programs.

Now my pc is freezing up for 10-20 seconds multiple times daily. Completely froze up a few times and had to do a cold shut down.

My hidden folders won't hide. I can't reinstall Java because every jxpiinstall.exe I download is damaged. Secunia, my auto updaters(adobe, java, etc.) and securitycheck.exe all disagree on what is up to date and what isn't. My event logs are enabled but 90% of them show ZERO events...been that way all along (that shouldv've been a clue!)My event logs point to malware...Please help! Scanners and Bleeping Computer MRT say my PC is clean!

I know this is long...sorry. It's been so long now that I don't even remember the original problems, but I found my old forum posts to help jog some memories. I'll post the links to the original forum posts for completeness.

History:

4/2010 Windows 7 x64 (Purchased Brand New From Gateway - NOT Refurbished)

6/2010 Factory Restore (Don't remember the infection...purchased ESET NOD32 to prevent future malware)

8/17/2010
Malwarebytes found Trojan.banking and malware.trace after my laptop froze up. MBAM Quarintined them, restarted to clean and mbam said some items could not be removed." I ran CCleaner a few times then ran Malwarebytes again, which came up clean after that. But my event logs kept repeating the same errors and warnings. I was running ESET NOD32 AV but nothing was caught by NOD. I was instructed to emove threats via Windows OneCare but never got it to run. But I did follow the rest of the instructions. Ran ATF Cleaner, SuperAntiSpyware, and reran MBAM and NOD32 but nothing was ever found after that...EVER!

Original Microsoft Answers Post Found TROJAN AND MALWARE on the computer (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/computer-froze-up-made-a-loud-consistent-noise/21ae208f-1cd3-477b-ac0e-54cdb3ef335a)
(I understood even less about my event logs then than I do now so please don't mind the events posted in this post, I should have actually posted the errors and warnings but thought these looked suspicious.)

2/1/2011
OS still had problems - wasn't sure if it was still infected. Decided to ensure OS was clean then do factory restore. Ran the following scans:
Malwarebytes
SuperantiSpyware
ESET NOD32
Microsoft Malicious Removal Tool
TDSSkiller
Prevyx
Hitman Pro
Kaspersky online virus scanner'

All scans found no threats.

Original Microsoft Answers Post Returning Computer to Factory Settings (http://answers.microsoft.com/en-us/windows/forum/windows_7-system/returning-computer-to-factory-settings-question/7b11afcb-dc8d-48d2-9ab9-c0c870dd33a5)

2/8/2011 (Estimated date) Factory Restore

2/10/2011 (I completely forgot about this until I found my old post)
Realized Infection was still present after noticing:
-Folder in C drive that has files modified over the entire year of 2010
-Internet Explorer remembered my bookmarks and passwords
-Logs from TDSSkiller.exe, MRT, etc. Still in C drive

Original Microsoft Answers Post Malware persisted through restore, what can I do? (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/malware-persisted-through-restore-what-can-i-do/d92e32fa-f394-4462-bfdc-3341ca103f08)

After that, it seemed like my laptop was running ok so I figured, "If it ain't broke, don't fix it."

THEN a couple of months ago, things just got worse. Really, it's too much to explain but here are my Bleeping Computer threads.

1. Bleeping Computer: "Am I Infected" (http://www.bleepingcomputer.com/forums/topic410917.html/page__p__2345492__fromsearch__1#entry2345492)
2. Bleeping Computer: "Virus, Trojan, Spyware, and Malware Removal Logs" (http://www.bleepingcomputer.com/forums/topic411844.html)

I had a problem of some kind with every step the Bleepin Computer Malware Response Team had me take but my logs looked good so In the end, my pc was given the "All Clean."

NOW, things are getting even worse. My posts over the last few days:

Microsoft Answers: Hidden Folders are Showing. Can't Rehide them! (http://answers.microsoft.com/en-us/windows/forum/windows_7-files/hidden-folders-are-showing-cant-rehide-them/a573fd70-ef0c-4d40-9c6b-e1a0209ac008)

Bleeping Computer: ESET Says jxpiinstall.exe "archive damaged" every time? (http://www.bleepingcomputer.com/forums/topic415089.html)

Microsoft Answers: Windows License is validated 2 times an hour and Remote Desktop Services notifications received, Are These Events Normal? (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-license-is-validated-2-times-an-hour-and/6401b0f0-7f23-4c79-844e-be97dee44ea0)

Bleeping Computer: Safe to uninstall Firefox Using RevoUninstaller Advanced? (http://www.bleepingcomputer.com/forums/topic414875.html)

Microsoft Answers: Event Viewer Enabled but 0 Events Listed? (http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/event-viewer-enabled-but-0-events-listed/c8eab85f-2771-4e6e-a6f1-2ec1f7fcfb04)

Please Help me. I don't know what to do. It may be network related...other pcs are having some issues to but mine is the worst on my home network.

Attach.txt is zipped and attached as requested. Here is My DDS Log:
--------------

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by BossLady at 1:38:15 on 2011-08-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2853 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.wilderssecurity.com/
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv73&r=27360211k455l0324z195a49l2x330
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
uRun: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 68.87.75.198 68.87.64.150 0.0.0.0
TCP: Interfaces\{FD12E0A4-0BC6-4EA2-A0B4-295544EC2A8C} : NameServer = 68.87.75.198,68.87.64.150
TCP: Interfaces\{FD12E0A4-0BC6-4EA2-A0B4-295544EC2A8C} : DhcpNameServer = 68.87.75.198 68.87.64.150 0.0.0.0
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\BossLady\AppData\Roaming\Mozilla\Firefox\Profiles\lzvqj6v2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wilderssecurity.com/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-1-12 810144]
R2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-11-2 844320]
R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-8-28 1150496]
R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-9-24 62720]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-4-19 993848]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-4-19 399416]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2011-6-17 154752]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-7-15 366640]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2009-11-2 225280]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
S4 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S4 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S4 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-11-2 240160]
.
=============== Created Last 30 ================
.
2011-08-18 20:04:11 -------- d-----w- C:\Users\BossLady\AppData\Roaming\Packard Bell
2011-08-18 20:04:11 -------- d-----w- C:\Users\BossLady\AppData\Local\Gateway
2011-08-18 00:20:18 -------- d-----w- C:\MGADiagToolOutput
2011-08-16 02:40:21 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-08-15 19:11:08 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-15 07:18:08 -------- d-----w- C:\Users\BossLady\AppData\Local\Secunia PSI
2011-08-15 07:17:56 -------- d-----w- C:\Program Files (x86)\Secunia
2011-08-15 01:20:50 -------- d-----w- C:\Users\BossLady\AppData\Roaming\SUPERAntiSpyware.com
2011-08-15 01:20:11 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-08-15 01:20:11 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-08-13 02:23:47 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-08-10 19:05:32 0 ----a-w- C:\Windows\ativpsrm.bin
2011-08-10 15:39:59 6144 ---ha-w- C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2011-08-08 15:15:59 -------- d-----w- C:\Users\BossLady\AppData\Local\temp
2011-08-08 00:22:41 539968 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-08-07 17:45:06 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{107D75A3-B54F-4BE2-944D-639438788715}\mpengine.dll
2011-08-01 21:50:25 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2011-08-01 21:50:15 4283672 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-08-01 21:50:03 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-07-29 17:18:25 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-07-29 17:18:11 4283672 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-07-29 17:17:59 42776 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-07-29 17:17:56 539968 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-07-26 19:09:29 -------- d-----w- C:\Program Files\ESET
2011-07-21 01:13:20 -------- d-----w- C:\ProgramData\Comodo
2011-07-20 21:43:19 -------- d-----w- C:\Users\BossLady\AppData\Local\ATI
2011-07-20 21:42:40 -------- d-----w- C:\Users\BossLady\AppData\Local\Power2Go
.
==================== Find3M ====================
.
2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-21 05:02:01 23112 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-07-16 22:28:05 1700352 ----a-w- C:\Windows\SysWow64\gdiplus.dll
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-07-06 23:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-05-24 23:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
.
============= FINISH: 1:39:31.70 ===============

Topic in Spybot-S&D forum: http://forums.spybot.info/showthread.php?t=63674

tashi
2011-08-19, 17:56
Hello Jula9600,


I recently received help from Bleepingcomputer.com MRT but they said my pc is clean.

And since BC helped me, it's getting even worse every day

I need someone who really knows how to find it.
Note some of our helpers and malware removal teachers also assist users at other sites, including BC. It is a small community and volunteer resources are limited.

Please provide links to the particular topic/s where you received malware removal assistance and also your usernames, (apparently there are at least three), so the information can be merged with your original post. :)

Best regards.

Jula9600
2011-08-19, 21:33
I really only received malware removal assistance one time and only from Bleeping Computer. First thread, to see if I needed removal assistance. Second thread, to receive removal assistance.
Username: Jewel431
http://www.bleepingcomputer.com/forums/topic410917.html
http://www.bleepingcomputer.com/forums/topic411844.html

Other threads regarding malware that I linked to have problem details, answers to questions and suggestions... not assistance, as I didn't post logs or results. But my Microsoft Answers username is JR1437. My last list of threads are my most recent issues before posting here, most of which no one can help me with (0 replies).
Sorry if I wasn't clear...it's a lot of information but I wish I had put 2 and 2 together before seeking help from BC. Logging on to Microsoft Answers a few days ago is when I saw my list of old posts, and it occurred to me, this isn't new at all.

tashi
2011-08-19, 21:40
Hello Jula9600

Posted 15 August 2011 - 11:14 AM
Hello

post in the windows forum but send me the link - I want to follow this

It does not sound like any malware I have heard of but I do want to know what is going on.

also I will ask someone to look into it.

gringo
http://www.bleepingcomputer.com/forums/topic411844.html/page__view__findpost__p__2373162


Posted 17 August 2011 - 11:33 PM
It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
http://www.bleepingcomputer.com/forums/topic411844.html/page__view__findpost__p__2376611

Please do that, it makes more sense to continue with a volunteer who has already assisted with three pages of help. :)