-
Ransom Virus and many others
Hello,
I have several viruses including the ransom. I have managed to get on the desktop with a lot of use of malwarebytes and Spybot. I also shut down the internet connection and this slows down the regeneration of the virus. I also keep the taskmanager up and kill ipseygu.exe everytime it generates and this appears to slow it down. Appreciate your assistance
IE will not allow mw toi post attachment on to this website. When I hit the button it brings up a browser to a bogus page and will not allow the selection of a file. I can cut and paste the contents of the Attach file if you request.
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16483 BrowserJavaVersion: 10.7.2
Run by Matt at 20:52:33 on 2013-05-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3070.1381 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Users\Matt\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
C:\Windows\system32\dldocoms.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\PSIService.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Users\Matt\AppData\Roaming\Axhaehi\ipseygu.exe
C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
C:\Windows\spoolsvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
C:\Users\Matt\AppData\Roaming\Axhaehi\ipseygu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: <No Name>: - LocalServer32 - <no file>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Qwiklinx: {3E7C8B5A-96AB-438F-BF9B-782400655440} - c:\users\matt\appdata\roaming\qwiklinx\Qwiklinx.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\users\matt\appdata\roaming\defaulttab\defaulttab\DefaultTabBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Adobe CSx Manager] c:\users\matt\appdata\roaming\d6eca8fa-bdd5-4019-991b-982afaa6a1e0ad\decafabddbafaaaead.exe
uRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
uRun: [msocpc] "c:\windows\system32\rundll32.exe" "c:\users\matt\appdata\roaming\msocpc.dll",WriteString
uRun: [ashlp] "c:\windows\system32\rundll32.exe" "c:\users\matt\appdata\roaming\ashlp.dll",InPlaceAnd
uRun: [miurtew] rundll32 "c:\users\matt\appdata\local\miurtew.dll",miurtew
uRun: [Soqeaddivii] c:\users\matt\appdata\roaming\axhaehi\ipseygu.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [dldomon.exe] "c:\program files\dell 968 aio printer\dldomon.exe"
mRun: [MemoryCardManager] "c:\program files\dell 968 aio printer\memcard.exe"
mRun: [Dell 968 AIO Printer Fax Server] "c:\program files\dell 968 aio printer\fm3032.exe" /s
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\camera~1.lnk - c:\program files\pixela\everio mediabrowser\MBCameraMonitor.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{4EF6EFA6-64CD-49AF-A1CD-823511F6E664} : DHCPNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
TCP: Interfaces\{64169AB7-D8F3-421A-BBBB-26BFF19CF8A6} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 DefaultTabUpdate;DefaultTabUpdate;c:\users\matt\appdata\roaming\defaulttab\defaulttab\DTUpdate.exe [2012-11-6 107520]
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 100328]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-5-14 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-5-14 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-5-14 168384]
R2 SpoolerCache;SpoolerCache;c:\windows\spoolsvc.exe [2013-5-3 229520]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [2007-10-5 99568]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-8-18 52224]
.
=============== Created Last 30 ================
.
2013-05-16 00:51:01 60872 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{39624408-596e-459a-857a-06483f94b9bd}\offreg.dll
2013-05-16 00:02:46 309760 ----a-w- c:\users\matt\acrobatreader53868.exe
2013-05-16 00:02:46 0 ----a-w- c:\users\matt\acrobatreader55286.exe
2013-05-16 00:02:42 35328 ----a-w- c:\users\matt\alg48478.exe
2013-05-16 00:02:38 24447 ----a-w- c:\users\matt\alg588646.exe
2013-05-15 23:59:56 7016152 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{39624408-596e-459a-857a-06483f94b9bd}\mpengine.dll
2013-05-15 23:51:30 -------- d-----w- c:\users\matt\appdata\roaming\Axhaehi
2013-05-15 19:52:39 21317 ----a-w- c:\users\matt\jqs828680.exe
2013-05-15 18:37:40 17920 ----a-w- c:\users\matt\appdata\local\miurtew.dll
2013-05-15 18:37:22 309760 ----a-w- c:\users\matt\acrobat590578.exe
2013-05-15 18:37:22 0 ----a-w- c:\users\matt\acrobat850950.exe
2013-05-15 18:37:19 50688 ----a-w- c:\users\matt\msconfig701709.exe
2013-05-15 18:37:19 35328 ----a-w- c:\users\matt\notepad582814.exe
2013-05-15 07:35:09 405504 ----a-w- c:\users\matt\appdata\roaming\ashlp.dll
2013-05-15 07:35:01 634880 ----a-w- c:\users\matt\appdata\roaming\msocpc.dll
2013-05-15 07:34:21 309760 ----a-w- c:\users\matt\java647518.exe
2013-05-15 07:34:21 0 ----a-w- c:\users\matt\iexplore956429.exe
2013-05-15 07:34:20 50688 ----a-w- c:\users\matt\spoolsv734849.exe
2013-05-15 07:31:44 292613 ----a-w- c:\users\matt\icq442766.exe
2013-05-15 07:31:43 50688 ----a-w- c:\users\matt\rundll32.exe
2013-05-15 07:31:43 193536 ----a-w- c:\users\matt\chrome125524.exe
2013-05-15 07:31:43 0 ----a-w- c:\users\matt\windowsupdate357826.exe
2013-05-15 07:03:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-15 00:37:54 880128 ----a-w- c:\users\matt\appdata\roaming\F18E.tmp
2013-05-15 00:37:54 880128 ----a-w- c:\users\matt\appdata\roaming\DB51.tmp
2013-05-15 00:36:39 309760 ----a-w- c:\users\matt\csrss.exe
2013-05-15 00:36:38 0 ----a-w- c:\users\matt\firefox.exe
2013-05-15 00:23:48 388096 ----a-r- c:\users\matt\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-05-15 00:23:41 -------- d-----w- c:\program files\Trend Micro
2013-05-15 00:08:12 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-15 00:08:12 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-15 00:08:12 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-15 00:08:06 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 00:08:05 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-15 00:08:01 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-15 00:08:01 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-15 00:08:00 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 00:04:49 -------- d-----w- c:\users\matt\appdata\local\Diagnostics
2013-05-14 22:12:59 0 ----a-w- c:\users\matt\jucheck.exe
2013-05-14 22:12:52 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-05-14 22:12:40 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-05-14 21:38:17 309760 ----a-w- c:\users\matt\teamviewer.exe
2013-05-14 21:38:16 0 ----a-w- c:\users\matt\icq.exe
2013-05-14 21:21:45 49152 ----a-w- c:\users\matt\googleupdate.exe
2013-05-14 21:20:11 7016152 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-05-14 20:55:47 -------- d-----w- c:\users\matt\appdata\roaming\Fiiwso
2013-05-13 19:22:32 0 ----a-w- c:\users\matt\java.exe
2013-05-13 17:59:27 0 ----a-w- c:\users\matt\opera.exe
2013-05-13 17:58:29 247808 ----a-w- c:\users\matt\alg.exe
2013-05-13 17:58:19 0 ----a-w- c:\users\matt\skype.exe
2013-05-13 17:52:37 0 ----a-w- c:\users\matt\jqs.exe
2013-05-13 17:37:05 247808 ----a-w- c:\users\matt\windowsupdate.exe
2013-05-13 17:37:02 0 ----a-w- c:\users\matt\flashplayer.exe
2013-05-08 18:15:45 -------- d--h--w- c:\programdata\Common Files
2013-05-08 18:15:45 -------- d-----w- c:\users\matt\appdata\local\MFAData
2013-05-08 18:15:45 -------- d-----w- c:\users\matt\appdata\local\Avg2013
2013-05-08 18:15:45 -------- d-----w- c:\programdata\MFAData
2013-05-08 17:48:12 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-05-08 11:48:07 -------- d-----w- c:\program files\CCleaner
2013-05-08 10:39:24 -------- d-----w- c:\users\matt\appdata\local\ElevatedDiagnostics
2013-05-07 10:57:15 -------- d-----w- c:\users\matt\appdata\roaming\Malwarebytes
2013-05-07 10:56:55 -------- d-----w- c:\programdata\Malwarebytes
2013-05-07 10:56:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-07 10:56:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-07 10:56:35 -------- d-----w- c:\users\matt\appdata\local\Programs
2013-05-06 04:53:46 0 ----a-w- c:\users\matt\mstsc.exe
2013-05-04 17:56:32 -------- d-----w- c:\users\matt\appdata\roaming\Obhobumu
2013-05-03 12:13:46 229520 ----a-w- c:\windows\spoolsvc.exe
2013-05-03 12:11:19 -------- d-----w- c:\users\matt\appdata\roaming\d6eca8fa-bdd5-4019-991b-982afaa6a1e0ad
2013-05-03 12:10:48 0 ----a-w- c:\users\matt\msconfig.exe
2013-05-01 11:42:09 706640 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ba549731-1f90-4c52-89a7-edc1a9bea50f}\gapaengine.dll
2013-05-01 11:18:21 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-20 12:35:53 -------- d-----w- c:\users\matt\appdata\roaming\Xaruocfe
.
==================== Find3M ====================
.
2013-05-09 12:23:07 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2013-05-09 12:21:29 88 --sh--r- c:\windows\system32\E141A877EE.sys
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-04 22:11:34 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-04-04 22:02:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-04 22:02:17 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-04-04 21:58:51 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-04-04 21:57:45 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-03-21 07:20:30 152576 ----a-w- c:\windows\system32\msclmd.dll
2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe
2013-02-15 04:37:10 3217408 ----a-w- c:\windows\system32\mstscax.dll
2013-02-15 04:34:10 131584 ----a-w- c:\windows\system32\aaclient.dll
2013-02-15 03:25:51 36864 ----a-w- c:\windows\system32\tsgqec.dll
.
============= FINISH: 21:07:03.73 ===============
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-05-15 21:05:35
-----------------------------
21:05:35.769 OS Version: Windows 6.1.7601 Service Pack 1
21:05:35.769 Number of processors: 4 586 0xF0B
21:05:35.770 ComputerName: MATT-DESKTOP UserName: Matt
21:05:56.612 Initialize success
21:28:40.406 AVAST engine defs: 13051501
21:28:47.738 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:28:47.738 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
21:28:47.879 Disk 0 MBR read successfully
21:28:47.879 Disk 0 MBR scan
21:28:47.988 Disk 0 Windows 7 default MBR code
21:28:47.988 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
21:28:48.019 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 112640
21:28:48.035 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 466644 MB offset 21084160
21:28:48.082 Disk 0 scanning sectors +976771072
21:28:48.191 Disk 0 scanning C:\Windows\system32\drivers
21:29:05.145 Service scanning
21:29:18.465 Service FastUserSwitchingCompatibility C:\Windows\C:\Windows\system32\FastUserSwitchingCompatibilityex.dll **LOCKED** 123
21:29:24.452 Service MpKslc91f6fc3 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{39624408-596E-459A-857A-06483F94B9BD}\MpKslc91f6fc3.sys **LOCKED** 32
21:29:44.311 Modules scanning
21:29:48.751 Disk 0 trace - called modules:
21:29:48.761
21:29:51.181 AVAST engine scan C:\Windows
21:29:55.393 AVAST engine scan C:\Windows\system32
21:33:40.008 AVAST engine scan C:\Windows\system32\drivers
21:34:05.186 AVAST engine scan C:\Users\Matt
21:40:15.648 File: C:\Users\Matt\msconfig701709.exe **INFECTED** Win32:Dropper-gen [Drp]
21:44:46.424 File: C:\Users\Matt\rundll32.exe **INFECTED** Win32:Dropper-gen [Drp]
21:44:47.173 File: C:\Users\Matt\spoolsv734849.exe **INFECTED** Win32:Dropper-gen [Drp]
21:44:49.794 AVAST engine scan C:\ProgramData
21:45:23.537 Scan finished successfully
21:49:19.635 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\MBR.dat"
21:49:19.729 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
