Link to home
Start Free TrialLog in
Avatar of ITRSupport
ITRSupportFlag for United States of America

asked on

Infection that just won't go away

Hi, everytime I run a scan using malwarebytes and remove a set of infections, I will reboot and immediately run another scan while offline and those very same infections are still being listed. Here are some logs from the computer, any advice on cleaning this up would be greatly appreciated.

Malwarebytes' Anti-Malware 1.44
Database version: 3815
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/4/2010 2:36:34 PM
mbam-log-2010-03-04 (14-36-34).txt

Scan type: Full Scan (E:\|)
Objects scanned: 207976
Time elapsed: 51 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 85

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\Windows Updates\winupdate.exe (Backdoor.Bifrose) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\ITR\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\itradmin\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\ITR\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\itradmin\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\seres.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\ITR\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\itradmin\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\svcst.exe (Rogue.AntiVirusPro) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\ITR\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\itradmin\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\WinUpdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\Program Files\Common Files\file.exe (Rogue.InternetAntiVirus) -> Delete on reboot.
C:\Program Files\TSC\tsc.exe (Rogue.Total.Security) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\ITR\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\itradmin\Start Menu\Programs\Startup\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\file.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\inf\svch0st.exe (Spyware.Pophot) -> Delete on reboot.
C:\WINDOWS\system32\svch0st.exe (Worm.AutoRun) -> Delete on reboot.
C:\WINDOWS\system32\utorrent.exe (Worm.AutoRun) -> Delete on reboot.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Temp\svch0st.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Temp\svch0st.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\ITR\Local Settings\Temp\svch0st.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\itradmin\Local Settings\Temp\svch0st.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Temp\svch0st.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temp\svch0st.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\file.exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Default User\file.exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\ITR\file.exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\itradmin\file.exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\LocalService\file.exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\NetworkService\file.exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\All Users\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\ITR\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\itradmin\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Local Settings\file.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\Local Settings\file.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\ITR\Local Settings\file.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\itradmin\Local Settings\file.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\LocalService\Local Settings\file.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Local Settings\file.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\file.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SVCH0ST.exe (Backdoor.Agent) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\System\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\WINDOWS\WinUpdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Default User\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\ITR\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\itradmin\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Windows update\winupdate.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ocxlist\winupdate.exe (Trojan.Banker) -> Delete on reboot.
C:\Program Files\TS\tsc.exe (Rogue.TotalSecurity) -> Delete on reboot.
C:\WINDOWS\system32\Winupdate\Winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\CS\tsc.exe (Rogue.CyberSecurity) -> Delete on reboot.
C:\WINDOWS\system32\winupdate86.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\All Users\Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Default User\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\ITR\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\itradmin\My Documents\System\winupdate.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ime\SVCH0ST.exe (Backdoor.IRCBot) -> Delete on reboot.

------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:17 PM, on 3/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\ITR\Agent\ITRTCH28502849914062\KaUsrTsk.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\ITR\Agent\ITRTCH28502849914062\AgentMon.exe
C:\Program Files\ITR\Agent\ITRTCH28502849914062\KasAVSrv.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Dell\Dell Mobile Broadband\dmbcu.exe
C:\PROGRA~1\Dell\DELLMO~1\Phoenix.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\ConnectWise\Psa.Net\PsaStarter.exe
C:\Program Files\ConnectWise\Psa.Net\2.0.0.18\Psa.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KASHITRTCH28502849914062] "C:\Program Files\ITR\Agent\ITRTCH28502849914062\KaUsrTsk.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3B998BC8-4BD6-4188-B785-5589534B1CF7} (VIClientControl Class) - http://72.54.192.49/videoinsight/Pages/uti...es/VIClient.CAB
O16 - DPF: {62FA83F7-20EC-4D62-AC86-BAB705EE1CCD} (SmartCode ViewerX VNC Control) - http://managed.itrtechnologies.com/klc/res...iveConnectX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1248535679640
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD142A5F-8EDD-4419-BAAE-183EAFCF99A1}: NameServer = 69.78.96.14 66.174.92.14
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ITR Managed Services Agent (KAITRTCH28502849914062) - Kaseya International Limited - C:\Program Files\ITR\Agent\ITRTCH28502849914062\AgentMon.exe
O23 - Service: ITR Managed Security Services (KaseyaAVService) - Unknown owner - C:\Program Files\ITR\Agent\ITRTCH28502849914062\KasAVSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

--
End of file - 9154 bytes
Avatar of Dustin_Loftis
Dustin_Loftis
Flag of United States of America image
Avatar of Dustin_Loftis
Dustin_Loftis
Flag of United States of America image
After you run ComboFix and kill the rootkit, run MalwareBytes one last time to clean up the lesser malware.
Avatar of jhyiesla
jhyiesla
Flag of United States of America image
I know it's kind of simplistic and somewhat extreme, but there comes a time when it's just the more prudent step to wipe and reload. I love apps like combofix and malwarebytes and use them extensively when needed, but in cases of really bad infections where there is some level of doubt as to the "clean" , I stabilize the system, remove what data I can or need and then just wipe and reload the OS.
Avatar of Thomas Zucker-Scharff
Thomas Zucker-Scharff
Flag of United States of America image
You can try running a couple of rootkit detectors (that is what the problem is - regular anti-malware apps wont be able to do anything), and they might get rid of your problem.  Your machine is fairly extensively infected.  I would second jhyiesla's suggestion - wipe and reload.  If you end up going that route I suggest DBAN (Derik's Boot And Nuke) it will completely wipe the disk.  If you would like to try antirookit software first read the article below:

https://www.experts-exchange.com/articles/Virus_and_Spyware/Anti-Virus/Anti-rootkit-software.html
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
The suggested ComboFix is a good idea... just attach the logfile here so we can check to make sure it's clean..
You could also try scanning with these tools first.

1.  Please download exeHelper to your desktop.
http://www.raktor.net/exeHelper/exeHelper.com 
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
 

2.  TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip 
* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.
If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...

Avatar of Tomeryos
Tomeryos
I strongly suggest you simply format your computer -> copy everything to another drive (as in:creating a backup) install fresh, then get eset nod antivirus trial version on fresh computer, scan the contents of the backup and restore everything. it takes some time... but it guarantees a win, and your computer will work faster in addition to that
Avatar of lancecurwensville
lancecurwensville
Flag of United States of America image
One other thing you can try before running any more utilities is to go to the registry and check the following keys:
HLM\software\microsoft\windows\currentversion\run
HLM\software\microsoft\windows\currentversion\runonce
HLM\software\microsoft\windows\currentversion\runonceex
HLM\software\microsoft\windows\currentversion\runservices
HLM\software\microsoft\windows\currentversion\runservicesonce

and make sure there is nothing rogue in these as this willl cause auto reinstalls of crapware.
then get ccleaner from www.ccleaner.com  and run it to clean all temp files.  Although, if there are multiple accounts on this machine, you will need to run ccleaner under EACH account as it is account sensitive.

ASKER CERTIFIED SOLUTION
Avatar of ITRSupport
ITRSupport
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial