Malicious Virus attack!
Dear Forum members;
I am running Windows 7 Ultimate 64-bit. I contracted a dsc.exe virus yesterday. Solutions I found for removing it did not work – I assume they were written for other OS’s. However, this morning I managed to remove it using MBAM. I quarantined all the viruses, in case of problems, and problems have appeared:
1) There are strange messages on bootup:
On starting up, the system gives two Run DLL reports:
There was a problem starting
C:\Users\Xuyuan\AppData\Local\imanivago.dll
The specified module could not be found.

There was a problem starting
C :\Users\Xuyuan\AppData\Local\kSLexi.dll
The specified module could not be found.

2) Whenever I try to upload or send email, firefox crahes, forcing me to reboot the computer. This happens sending Gmail, and also uploading docs to this forum. It gives the following error, and I cannot access any programs without rebooting. I have unloaded and reinstalled Firefox once already, to no avail.
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: C:\Program Files (86)\Mozilla Firefox\firefox.exe
This application has requested the Runtime to terminate it in an
unusual way.
Please contact the application support team for more information.

I thus don’t see the point in contacting Firefox, as the issue is with something that MBAM removed during the cleanup of dsc.exe.
As per forum instructions, I have already downloaded and run Microsoft® Windows® Malicious Software Removal Tool, which found nothing.
I ran ATF-Cleaner.
When running GMER Rootkit Scanner, it yielded the following message on startup:
C:\Windows\system32configsystem: The system cannot find the file specified.

And when it opened, most of the options were greyed out, apart from Services, Registry, Files and ADS.

On scanning it gave the following error message:
C:\Windows\system32\config\system: The process cannot access the file because it is being used by another process.

It then reported that it hadn’t found any system modification.
I then ran MBAM once again. With X result.
I’ve attached a picture of all the viruses MBAM picked up, some of which I think I need to clean or reinstall clean versions of to get my system running again, as well as a Hijack this log, and the two DDS scans.

Quite desperate, as Firefox, with all of its bookmarks and extensions, is imperative for my work!

Thanks so much for your help!~

Recommended Answers

All 9 Replies

Part of your problem is you are using programs which are not compatible with Windows 7 and/or also not compatible with a 64bit system.
GMER runs only on Windows NT/W2K/XP/VISTA

Malwarebytes's IS compatible with Windows 7 and 64bit systems however, where is the log? We can make no determinations of what is going on if we don't see all the logs and Malwarebytes' is a KEY log we must see, not a Printscreen of Quarantine.We have to see the actual log created when the removals were done. Since you have run this twice it likely would be the second log from the bottom in the Logs Tab of the program. I must see this log.

Please do not attach logs, copy/paste them. This protects others here from the possibility of downloading and infected file to their own computer.
Copy/Paste that Malwarebytes' log here pleas.

You receive the message when starting about the two items noted below because both are serious Trojans and were removed by Malwarebytes'

C:\Users\Xuyuan\AppData\Local\imanivago.dll
C :\Users\Xuyuan\AppData\Local\kSLexi.dll

You are receiving the message because they obviously were set to run at start up but since they were removed, as they should have been, sot therefore they cannot be found. And you most definitely DON'T want them back.

The version of HiJackThis you have used is literally years out of date. Please download the newest version which is 2.0.4 from this link http://free.antivirus.com/hijackthis/

Thanks so much for replying! I've followed your instructions, and describe below what else I have done and found since last post.

Since posting, I found a suspicious add-on in Firefox called "Java String Helper" which wouldn't uninstall or be disabled. I deduced it was responsible for the runtime error through a process of elimination of 1) running Firefox in safemode w/o reproducing the problem and 2) disabling the other add-ons outside of safe mode and still reproducing the issue.

So, I went to the registry editor, found the add-on keys, and traced their connection to a folder in C:\Users\Xuyuan\AppData\Roaming\5005.

I also found two other suspicious folders in the same directory:

C:\Users\Xuyuan\AppData\Roaming\cock which was full of cookies to adsites that had been generated since the time of the infection

and another folder
C:\Users\Xuyuan\AppData\Roaming\xmldm which was full of registry keys and htm files with keystroke records for sites that I'd logged into since the infection.

I've deleted the reg key and all three folders. The add-in has not reappeared since, and the run-time error has gone away.

There is still one suspicious Registry Entry, which refers to C:\Users\Xuyuan\AppData\Local\{05F9B574-645C-4D1A-BB9B-17AE556D87AE}\
This folder contains files called install.rdf, chrome.manifest (I don't run Chrome on my computer), and sub-folders called chrome\content\ with files _cfg.js and overlay.xul. They were all last modified (I think created) at the suspected time of infection. I haven't deleted them yet.

I'm worried, however, that as MBAM didn't catch the keylogger and add-in the first time around, that other variants of it may still be present elsewhere, possibly hidden in IE folders. Being unsure of what to do next, I installed and ran Ad-Aware, which is still scanning (I have 2T worth of data attached to my computer), but so far it's found only 2 items, and the Chrome folders and regkey are still intact.

I append the MBAM log from two days ago, and the recent Hijack this log afterwards. (In my defense, I used the hijack this link from the forum instructions). I assumed the incompatibility with GMER was to do with my OS, thank you for confirming that. I thought it best that you and other readers know that it didn't work.

Thanks again so much for your time and help.

MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4680

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

24/09/2010 09:31:26
mbam-log-2010-09-24 (09-31-26).txt

Scan type: Full scan (C:\|)
Objects scanned: 332903
Time elapsed: 1 hour(s), 27 minute(s), 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
C:\Users\Xuyuan\AppData\Local\Temp\dfrgsnapnt.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Users\Xuyuan\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Users\Xuyuan\AppData\Local\kSLexi.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\linkrdr.aiebho (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f22c37fd-2bcb-40b6-a12e-77dda1fbdd88} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f22c37fd-2bcb-40b6-a12e-77dda1fbdd88} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\linkrdr.aiebho.1 (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\20W6RLKX65 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\3FWHZQA3LT (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metropolis (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbasazohecewew (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfrgsnapnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3fwhzqa3lt (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcozuhijucivicid (Trojan.Agent.U) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Xuyuan\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Local\kSLexi.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Users\Xuyuan\AppData\Local\Temp\dfrgsnapnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Local\Temp\Dxd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Roaming\AcroIEHelpe.dll (Trojan.Banker) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2701614545-746813789-4022911363-1000\$RBE6VG8.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2701614545-746813789-4022911363-1000\$RHQD0CA.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Local\Temp\Dxc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Local\Temp\iXzzRClogw.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Local\Temp\pDXPOqJvir.exe (Rootkit.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Local\Temp\topwesitjh (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Roaming\appconf32.exe (Trojan.Banker) -> Delete on reboot.
C:\Users\Xuyuan\AppData\Local\Temp\0.30591442962090487.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Xuyuan\AppData\Local\imanivago.dll (Trojan.Agent.U) -> Delete on reboot.


HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 00:51:07, on 27/09/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Inventec\Dreye\DreyeMT\DreyeIMplugin.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Windows\Xerox\PanelMgr\SSMMgr.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FAIESSO Helper Object - {A2F122DA-055F-4df7-8F24-7354DBDBA85B} - c:\Program Files (x86)\Sensible Vision\Fast Access\FAIESSO.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files (x86)\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IME14 CHT Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /CHT /Log
O4 - HKLM\..\Run: [IME14 JPN Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /JPN /Log
O4 - HKLM\..\Run: [IME14 KOR Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /KOR /Log
O4 - HKLM\..\Run: [IME14 CHS Setup] C:\PROGRA~2\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /CHS /Log
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMDreyePlugin] "C:\Program Files (x86)\Inventec\Dreye\DreyeMT\DreyeIMplugin.exe" /h
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Xerox PanelMgr] C:\Windows\Xerox\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
O4 - HKLM\..\RunOnce: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [FaultrepDataCollectionInProc] regsvr32 /s /u "C:\Users\Xuyuan\AppData\Local\FaultrepDataCollectionInProc\FaultrepDataCollectionInProc.dll"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Run YoukuDownloader - {612F6E5C-B314-4bab-93D1-D266AAFBE700} - C:\Program Files (x86)\Xmlbar\Youku Downloader\YoukuDownloader(xmlbar).exe (file missing)
O9 - Extra 'Tools' menuitem: Youku Downloader - {612F6E5C-B314-4bab-93D1-D266AAFBE700} - C:\Program Files (x86)\Xmlbar\Youku Downloader\YoukuDownloader(xmlbar).exe (file missing)
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: FastAccess - c:\Program Files (x86)\Sensible Vision\Fast Access\FALogNot.dll (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\SysWOW64\rpcnet.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellComms) (sprtsvc_DellComms) - SupportSoft, Inc. - C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: DW WLAN Tray Service (wltrysvc) - Dell Inc. - C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Zune Wireless Configuration Service (ZuneWlanCfgSvc) - Unknown owner - C:\Windows\system32\ZuneWlanCfgSvc.exe (file missing)

--
End of file - 15029 bytes

Not that crazy about AdAware frankly. I know it is compatible with Windows 7 but can find no info that it is compatible with Windows 7 64bit.

This is also where you are at of a bit of disadvantage as many of the security programs are not compatible with a 64bit system.
You can try the Sophos Rootkit program, it is compatible with 7.
You will have to fill out an information form in order to download it but be sure you don't say you want info or newsletters.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Hi, thanks for this suggestion.
Adaware still scanning, now 14 hits. Sophos now running too. I'll keep you posted with results.

There is absolutely NO way that an AdAware scan should take 10+ hours! which is what you seem to be saying. Turn it off and Uninstall it. That is 100% wrong. I wouldn't trust anything it supposedly is finding.

You should NEVER run two scans of any kind at the same time! Neither one will do a proper job that way.

It actually took over twenty hours, but like I said, I did a full scan and it was working through 2.5 terabytes of hard drive space. It found a number of items during that time, all of which have been removed.

By the time sophos got to the system, it only found hidden files that it didn't recognise but that it also didn't recommend uninstalling. Some of these were files for software, like Daemon.exe.

Thanks for your feedback and willingness to help and offer advice. It's much appreciated.

I still have to say, AdAware just isn't one of those programs chosen today as a "top of the line" as it once was, no matter how large a drive needed scanning and it also is NOT one of those mentioned as being able to clean out these especially difficult infections that are out there today. Are you still having the problems you noted?

Hi. Your point about Ad-aware noted, thanks. I'll be sure to use Sophos first in the future.

Problems solved once I manually deleted the Registry Entry and the associated folders in the Firefox directory.
But I was quite surprised a) that MBAM didin't find it, and b) that it was possible to do so by manually looking for "suspicious" registry keys. I clearly just got lucky this time.

Maybe dsc.exe has beaten out MBAM? I'm curious if Sophos would find it, but I'm not going to get reinfected just to test it out.

There would be no reason to use Sophos at all unless you suspect a rootkit, that is what that tool does, look for rootkits. It is no way related to anything that AdAware would look for. AdWare basically scans for spyware, not trojans and certainly not rootkits. It, at best, is a very minor removal program, much of which can be taken care of by proper cookie setting and security settings. If you want a better scanner then use SpyBot Search and Destroy.

Frankly am not sure what you mean about MBA-M not finding anything: It clearly found and removed
Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16
So how can you say it didn't find and remove anything?
The KEY way these multiple infections work is to disable malware scanners. They LOOK like they are working but in reality they are not. This has been a KNOWN occurrence since the appearance of this family of infections more than a year ago. It isn't new or rare.
When you removed those deterents manually and then re-scanning MBA-M did remove them. What you did was remove the processes that masked the true infected files so that MBA-M could find them.

There is an automatic tool which will do exactly the same thing so that MBA-M and others CAN run, they didn't have to be done manually.

Another thing you say in your first post I find most disconcerting;
I’ve attached a picture of all the viruses MBAM picked up, some of which I think I need to clean or reinstall clean versions of to get my system running again,

Why in the world would you want to reinstall ANY of the files removed by MBA-M? They are clearly infections, not necessary files and registry entries and certainly not ones which should be reinstalled.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.