Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Phishing emails virus, need help to remove

27 Feb 2012   #11
usinjin

Windows 7 Professional x64
 
 

Quote   Quote: Originally Posted by tman69 View Post
just a thought--your original posting seems to indicate 'rootkit' rehavior.

see this link for how to detect/remove a rootkit:

F-Secure - How To - Remove threats - Free Removal Tools - Blacklight

and see here for definition of a rootkit:

F-Secure - How To - Terminology - R
Great. I'll check that out tomorrow. That F-Secure software is a little bit odd...it also won't install on my machine due to incompatibility issues with Windows 7 (I did run it as an Administrator, but that didn't work either). The online scanner did find about 20 items though. I will try the deeper scan again tomorrow.


My System SpecsSystem Spec
.
27 Feb 2012   #12
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Hi Usinjin,

Please be sure to record the names of the malware you detect : its very useful to know what is found as it may give an indication or clue of a particular step or steps that someone might ask you to take.

Regards,
Golden
My System SpecsSystem Spec
27 Feb 2012   #13
vaidas3

Windows 7 pro 64bit. (SP1)
 
 

Quote   Quote: Originally Posted by tman69 View Post
just a thought--your original posting seems to indicate 'rootkit' rehavior.

see this link for how to detect/remove a rootkit:

F-Secure - How To - Remove threats - Free Removal Tools - Blacklight

and see here for definition of a rootkit:

F-Secure - How To - Terminology - R

had similar infection on one of work pc and yes it was rootkit that not only dumps spam but sends out lots of spam too.

best cure to remove rootkit infection is clean reinstal (or better backup reimage from brfore virus was predsent)
because even if it seems removed it may return, and because how deep rootkits get in to the system, cleaning system 100% would take more time than clean reinstal.
best way to clean or detect rootkits is to boot from different environment because while infected OS is running rootkit has many ways to hide itself.
this may help
Microsoft Standalone System Sweeper Beta | Microsoft Connect
my recommendation is do scan make sure of the infection
and do a clean reinstal
My System SpecsSystem Spec
.

27 Feb 2012   #14
usinjin

Windows 7 Professional x64
 
 

Okay, so the files that F-Secure found were all tracking cookies, and unfortunately I didn't write them down. Unfortunately I lost the name of the Tojan that ZA found (It was saved in ZA's log files, but the logs were tossed out). But I'll try to pull up some names for the future.

I did a scan with Sophos, and I got a huge number of "Unknown hidden files". Many of them are in temporary internet files, but others are in C:\Windows and subdirectories. I don't want to mess anything up, so I think I'm not going to do anything with Sophos. I did take a screenshot however in case anyone wants to see what was found.

I am going to scan with the Microsoft Standalone System Sweeper Tool next. Thanks everyone for the help so far.


Attached Thumbnails
Phishing emails virus, need help to remove-sophos.jpg  
My System SpecsSystem Spec
27 Feb 2012   #15
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3
  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt <--- will be minimized in the task tray
  • Save both reports to your desktop.
Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.
My System SpecsSystem Spec
28 Feb 2012   #16
usinjin

Windows 7 Professional x64
 
 

Below are the contents of DDS.txt:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by User at 19:22:51 on 2012-02-28
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4087.2374 [GMT -6:00]
.
AV: ZoneAlarm Antivirus *Disabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *Disabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
FW: ZoneAlarm Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\ContentWatch\Internet Protection\cwsvc.exe
C:\Windows\system32\PrintCtrl.exe
C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\PrintDisp.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\splwow64.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_1_102_ActiveX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\SysWOW64\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: ZoneAlarm Extreme Security Toolbar: {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} -
mURLSearchHooks: ZoneAlarm Extreme Security Toolbar: {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} -
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: ZoneAlarm Extreme Security: {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - ZoneAlarm Extreme Security Toolbar
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO: Free Download Manager: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: ZoneAlarm Extreme Security Toolbar: {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} -
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [EPSON WorkForce 840 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGMA.EXE /FU "C:\Users\User\AppData\Local\Temp\E_SC2E9.tmp" /EF "HKCU"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [ZoneAlarm] C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\User\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: Page Content Recorder - C:\Program Files (x86)\Right Web Monitor 3\iecontrec.htm
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: Track with Right Web Monitor - C:\Program Files (x86)\Right Web Monitor 3\iecontext.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: C:\Windows\system32\cwalsp.dll
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{01704FEB-A018-4C09-991E-10AC3459DBDF} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ADAFB84A-1A27-4E15-86D4-4E2D66D41100} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO-X64: ZoneAlarm Security Engine Registrar - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - ZoneAlarm Extreme Security Toolbar
BHO-X64: ZoneAlarm Extreme Security - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: ZoneAlarm Extreme Security Toolbar: {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} -
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
mRun-x64: [ZoneAlarm] C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
mRun-x64: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun-x64: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE-X64: {AD794498-7E3E-4E00-9864-94A669EEB2BF} - C:\Program Files (x86)\Right Web Monitor 3\iecontext.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zboou1br.default\
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52909
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
FF - component: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\components\MozillaDownload.dll
FF - component: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\components\MozillaExtensions.dll
FF - component: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - component: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zboou1br.default\extensions\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}\components\RadioWMPCoreGecko10.dll
FF - component: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zboou1br.default\extensions\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}\components\RadioWMPCoreGecko19.dll
FF - component: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zboou1br.default\extensions\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}\components\RadioWMPCoreGecko5.dll
FF - component: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zboou1br.default\extensions\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}\components\RadioWMPCoreGecko6.dll
FF - component: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zboou1br.default\extensions\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}\components\RadioWMPCoreGecko7.dll
FF - component: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zboou1br.default\extensions\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}\components\RadioWMPCoreGecko8.dll
FF - component: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\zboou1br.default\extensions\{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}\components\RadioWMPCoreGecko9.dll
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll
FF - plugin: C:\Users\User\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Users\User\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\User\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 kl2;kl2;C:\Windows\system32\DRIVERS\kl2.sys --> C:\Windows\system32\DRIVERS\kl2.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R2 CwAltaService20;ContentWatch;C:\Program Files (x86)\ContentWatch\Internet Protection\cwsvc.exe [2011-9-1 2105488]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-11-25 13592]
R2 ISWKL;ZoneAlarm ForceField ISWKL;C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [2010-8-27 33672]
R2 IswSvc;ZoneAlarm ForceField IswSvc;C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe [2010-8-27 825984]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-11-19 652360]
R2 Printer Control;Printer Control;C:\Windows\system32\PrintCtrl.exe --> C:\Windows\system32\PrintCtrl.exe [?]
R2 RosettaStoneDaemon;RosettaStoneDaemon;C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2010-5-17 1615176]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
R3 icsak;icsak;C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys [2011-5-30 45448]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-12 136176]
S3 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\system32\Drivers\ssadadb.sys --> C:\Windows\system32\Drivers\ssadadb.sys [?]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
S3 BTWAMPFL;BTWAMPFL;C:\Windows\system32\DRIVERS\btwampfl.sys --> C:\Windows\system32\DRIVERS\btwampfl.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2011-12-11 9728]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2011-12-11 3072]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-12 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\1D11.tmp --> C:\Windows\system32\1D11.tmp [?]
S3 MSI_DVD_010507;MSI_DVD_010507;C:\PROGRA~1\MSI\MSIWDev\DVDSYS64_100507.sys [2010-5-10 28984]
S3 MSI_VGASYS_010507;MSI_VGASYS_010507;C:\PROGRA~1\MSI\MSIWDev\VGASYS64_100507.sys [2010-5-10 14960]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 pnetmdm;PdaNet Modem;C:\Windows\system32\DRIVERS\pnetmdm64.sys --> C:\Windows\system32\DRIVERS\pnetmdm64.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-02-27 20:00:48 -------- d-----w- C:\Windows\Microsoft Antimalware
2012-02-27 20:00:23 -------- d-----w- C:\Windows\Windows Defender Offline
2012-02-27 06:43:21 6144 ------w- C:\Windows\System32\1F35.tmp
2012-02-27 06:31:58 -------- d-----w- C:\Users\User\AppData\Roaming\f-secure
2012-02-27 06:31:44 -------- d-----w- C:\ProgramData\F-Secure
2012-02-27 06:24:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-27 06:18:13 6144 ------w- C:\Windows\System32\1D11.tmp
2012-02-27 06:17:53 -------- d-----w- C:\Program Files (x86)\Sophos
2012-02-26 16:48:29 -------- d-----w- C:\Users\User\AppData\Roaming\MusE
2012-02-26 16:48:14 -------- d-----w- C:\Users\User\AppData\Local\MusE
2012-02-26 16:44:27 -------- d-----w- C:\Program Files (x86)\MuseScore
2012-02-19 16:59:47 -------- d-----w- C:\MyBackup
2012-02-19 16:41:29 -------- d-----w- C:\Program Files (x86)\PC Tune-Up
2012-02-15 19:42:25 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-02-15 19:42:25 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-02-15 19:41:41 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-02-15 19:41:41 478208 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-02-15 19:41:40 3143168 ----a-w- C:\Windows\System32\win32k.sys
2012-02-15 19:41:37 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-02-15 19:40:21 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2012-02-15 19:40:21 634368 ----a-w- C:\Windows\System32\msvcrt.dll
2012-02-05 01:36:43 -------- d-----w- C:\Program Files\iTunes
2012-02-05 01:36:43 -------- d-----w- C:\Program Files\iPod
2012-02-05 01:36:43 -------- d-----w- C:\Program Files (x86)\iTunes
2012-02-05 00:46:54 -------- d-----w- C:\sn0wbreeze
2012-02-04 23:39:46 -------- d-----w- C:\iREB
2012-02-04 18:17:55 97240 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2012-02-04 18:17:55 801752 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll
2012-02-04 18:17:55 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2012-02-04 18:17:55 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2012-02-04 18:17:55 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2012-02-04 18:17:55 45016 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2012-02-04 18:17:55 437208 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2012-02-04 18:17:55 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2012-02-04 18:17:55 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2012-02-04 18:17:55 1911768 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2012-02-04 18:17:55 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2012-02-04 18:17:55 134104 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
.
==================== Find3M ====================
.
2012-02-16 00:16:37 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-14 07:11:03 2308096 ----a-w- C:\Windows\System32\jscript9.dll
2011-12-14 07:04:30 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-12-14 07:03:38 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-12-14 06:57:28 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-12-14 03:04:54 1798656 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-12-10 21:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 19:24:32.39 ===============


Attached Files
File Type: rar Attach.rar (4.1 KB, 38 views)
My System SpecsSystem Spec
02 Mar 2012   #17
usinjin

Windows 7 Professional x64
 
 

Fustrating...it's still in there. I'm up to about 40,000 phishing emails in my inbox now.
My System SpecsSystem Spec
02 Mar 2012   #18
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Let's flush the DNS cash by right clicking a command prompt and clicking to run as Administrator. Copy and paste ipconfig /flushdns, then press the 'enter' key.

Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Let us know if you're still getting the phishing emails.
My System SpecsSystem Spec
03 Mar 2012   #19
usinjin

Windows 7 Professional x64
 
 

Yet to see if I receive more phishing emails. So far so good. Is there some way I can clear the old ones out? Is there some program I can use? I used 'Find' in Mail to find all the phishing emails, and selected all of them, but they won't delete. Even Shift+delete won't work. The only way currently I can delete is by holding down the delete key, which works until it gets hung up and gives me an error.

Also--I'm getting messages from Mail about my computer sending rogue emails now.


Attached Images
Phishing emails virus, need help to remove-message-warning.jpg 
My System SpecsSystem Spec
03 Mar 2012   #20
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a (right click to run as Administrator) HiJackthis Download HijackThis 2.0.4 - FileHippo.com log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run

***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix

IF CF won't run:
During the download, rename Combofix.exe to sVchost.exe
My System SpecsSystem Spec
Reply

 Phishing emails virus, need help to remove




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
new HAO 123 virus in Chrome. How to remove?
Hello, i have a HAO 123 virus in my Chrome browser. I also had one in Firefox. This one was easily removed when i followed some instruction videos on youtube. Now this HAO123 virus is different and strange. It does not make a home page. Just when i start Chrome it everytime opens 3 tabs......
System Security
Help me remove virus/infection
Hi Friends, I need some help removing the malware/virus please. I have tried MB but it stuck on Heuristic Analysis for a long time, I am unable to uninstall any programs, right click doesn't respond, I have been using AVG2014 for AV. Thanks in advance.
System Security
phishing emails attack
Hi guys. In the last week, I have been getting quite a few "phishing" emails. 6 from one crowd purporting to be from an Australian bank, saying "a term deposit has been opened.." I deleted those, unopened. (then researched and found it to be a common scam) Today but, I got another one,...
Browsers & Mail
Help Remove Virus
i had windows 7 installed than i installed XP...n i inserted a usb while using XP...the usb contained the "New Folder.exe" virus...n infected my windows....it also infected Windows 7....i formated both drives...now i only have windows 7 installed ... but the effects of the virus are still there......
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 14:20.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App