Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

win32/olmarik.tdl4 trojan Need help to remove [Solved]

  • This topic is locked This topic is locked



    Trusted Helper

  • Malware Removal
  • 2,524 posts
Okay, I see the infection. Please run TDSSKiller again, but this time select delete for the following item:

\Device\Harddisk0\DR0 ( TDSS File System )

Does ESET still give you any warnings? How is the computer running now?
  • 0





  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Eset does not see it anymore and Computer seems to be running good.
  • 0



    Trusted Helper

  • Malware Removal
  • 2,524 posts
Hi David,

Let's sweep for any remnants.

Step 1: Run SecurityCheck

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Step 2: Run MBAM.

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3: Run online scan.

Please run a free on line scan with BitDefender Online Scanner

  • Click the green Start Scanner button
  • Click the green Scan Now button and wait a few seconds until a request appears from Bitdefender
  • Accept the plugin installation
  • Restart your browser in Administation mode if requested
  • Click the green Scan Now button again
  • Accept the eula agreement if asked
  • The scan should start. It will be relatively quick.
  • Click View report (note: this is not the green button - Free download - just click on the words View report under the black button "Get QuickScan for your website")
  • Notepad will open with a log
  • Save to your desktop
  • Copy and paste the report back here

Step 4: Upload MBR. You should have a file on your desktop named "MBR.dat" Could you please upload that to dropbox and send me a share link.

Things I need in your next reply:
  • SecurityCheck log
  • MBAM log
  • ESET log
  • dropbox link
  • Any outstanding problems?

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Results of screen317's Security Check version 0.99.63
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
ESET Smart Security 4.2
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 17
Java version out of Date!
Adobe Reader 10.1.6 Adobe Reader out of Date!
Google Chrome 26.0.1410.43
Google Chrome 26.0.1410.64
````````Process Check: objlist.exe by Laurent````````
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````


Malwarebytes Anti-Malware (Trial)

Database version: v2013.05.13.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
David Blankenship :: DWB-PC [administrator]

Protection: Enabled

5/13/2013 7:52:24 AM
mbam-log-2013-05-13 (07-52-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 440736
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 16 posts

QuickScan 32-bit v0.9.9.118
Scan date: Mon May 13 08:19:04 2013
Machine ID: A66E5A86

No infection found.

(unsigned) 3440 C:\UPS\WSTD\UPSNA1Msgr.exe
(unsigned) QBDBMgrN.exe 4760 C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\QBDBMgrN.exe
(unsigned) QBIDPService 2436 C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(unsigned) QuickBooks for Windows 2256 C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(unsigned) WSTDMessaging Application 1204 C:\UPS\WSTD\WSTDMessaging.exe

(verified) AcroTray - Adobe Acrobat Distiller help 4820 C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(verified) Adobe Acrobat Update Service 1476 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(verified) Akamai NetSession Client 128 C:\Users\David Blankenship\AppData\Local\Akamai\netsession_win.exe
(verified) Akamai NetSession Client 4152 C:\Users\David Blankenship\AppData\Local\Akamai\netsession_win.exe
(verified) ButtonMonitor 1808 C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
(verified) Control Center 3 856 C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(verified) Dropbox 4348 C:\Users\David Blankenship\AppData\Roaming\Dropbox\bin\Dropbox.exe
(verified) ESET Smart Security 1728 C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
(verified) Global Registration Service 1792 C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
(verified) Google Toolbar for Internet Explorer 3636 C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(verified) GoogleToolbarNotifier 4900 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(verified) Hotkey Utility 4468 C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
(verified) iTunes 3512 C:\Program Files (x86)\iTunes\iTunesHelper.exe
(verified) Java™ Platform SE Auto Updater 2 0 1760 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(verified) Malwarebytes Anti-Malware 4768 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(verified) Malwarebytes Anti-Malware 3672 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(verified) Malwarebytes Anti-Malware 5340 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(verified) Microsoft Outlook 2164 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(verified) Microsoft SQL Server 2612 C:\Program Files (x86)\MICROSOFT SQL SERVER\90\Shared\sqlbrowser.exe
(verified) Microsoft SQL Server 1280 C:\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe
(verified) MobileDeviceService 1616 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(verified) PaperPort 848 C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
(verified) QuickBooks 1172 C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE
(verified) QuickBooks Automatic Update 2856 C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(verified) Quickbooks Web Connector 344 C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
(verified) RAID Event Monitor 4640 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(verified) RAID Monitor 2124 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(verified) Retrospect 2540 C:\Program Files (x86)\Retrospect\Retrospect Client\RemotSvc.exe
(verified) Retrospect 2568 C:\Program Files (x86)\Retrospect\Retrospect Client\retroclient.exe
(verified) Spotify 4912 C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
(verified) Updater Service 2804 C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
(verified) USBS3S4Detection 2844 C:\OEM\USBDECTION\USBS3S4Detection.exe
(verified) Windows® Internet Explorer 4632 C:\Program Files (x86)\Internet Explorer\iexplore.exe
(verified) Windows® Internet Explorer 928 C:\Program Files (x86)\Internet Explorer\iexplore.exe
(verified) Yahoo! AutoUpdater 2912 C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

Network activity
Process iexplore.exe (928) connected on port 80 (HTTP) -->
Process iexplore.exe (928) connected on port 80 (HTTP) -->
Process iexplore.exe (928) connected on port 80 (HTTP) -->
Process iexplore.exe (928) connected on port 80 (HTTP) -->
Process iexplore.exe (928) connected on port 80 (HTTP) -->
Process iexplore.exe (928) connected on port 80 (HTTP) -->
Process iexplore.exe (928) connected on port 80 (HTTP) -->
Process Dropbox.exe (4348) connected on port 80 (HTTP) -->
Process iexplore.exe (4632) connected on port 80 (HTTP) -->
Process iexplore.exe (4632) connected on port 80 (HTTP) -->
Process iexplore.exe (4632) connected on port 80 (HTTP) -->
Process iexplore.exe (4632) connected on port 80 (HTTP) -->
Process iexplore.exe (4632) connected on port 80 (HTTP) -->

Process sqlservr.exe (1280) listens on ports: 50321
Process QBCFMonitorService.exe (2256) listens on ports: 8019
Process retroclient.exe (2568) listens on ports: 497 (Retrospect)
Process Dropbox.exe (4348) listens on ports: 17500
Process QBDBMgrN.exe (4760) listens on ports: 55348

Autoruns and critical files
(unsigned) C:\UPS\WSTD\UPSNA1Msgr.exe
(unsigned) Brother Status Monitor Application C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(unsigned) QBDBMgrN.exe C:\PROGRA~2\Intuit\QUICKB~2.0\QBDBMgrN.exe
(unsigned) QuickTime C:\Program Files (x86)\QuickTime\QTTask.exe
(unsigned) UPS WorldShip® - wstdPldReminder Applic C:\UPS\WSTD\wstdPldReminder.exe
(unsigned) WSTDMessaging Application C:\UPS\WSTD\WSTDMessaging.exe

(verified) AcroTray - Adobe Acrobat Distiller help C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(verified) Adobe Reader and Acrobat Manager C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(verified) Adobe Updater Startup Utility C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
(verified) Adobe® Flash® Player Update Service C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
(verified) Akamai NetSession Client C:\Users\David Blankenship\AppData\Local\Akamai\netsession_win.exe
(verified) Apple Push C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(verified) ButtonMonitor C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
(verified) ControlCenter C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe
(verified) Data Protect C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
(verified) Dropbox C:\Users\David Blankenship\AppData\Roaming\Dropbox\bin\Dropbox.exe
(verified) ESET Smart Security C:\Program Files\ESET\ESET Smart Security\egui.exe
(verified) Google Update C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
(verified) GoogleToolbarNotifier C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(verified) Hotkey Utility C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
(verified) IntuitSyncManager C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe
(verified) iTunes C:\Program Files (x86)\iTunes\iTunesHelper.exe
(verified) Java™ Platform SE Auto Updater 2 0 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(verified) LogMeIn C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(verified) Malwarebytes Anti-Malware C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
(verified) PaperPort C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe
(verified) PaperPort C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
(verified) QuickBooks C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE
(verified) QuickBooks Automatic Update C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(verified) QuickBooks for Windows C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\AutoBackupEXE.exe
(verified) Quickbooks Web Connector C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
(verified) RAID Event Monitor C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(verified) Realtek HD Audio Manager C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(verified) Spotify C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
(verified) Spotify C:\Program Files (x86)\Spotify\Spotify.exe
(verified) SSBkgdUpdate C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
(verified) SSEreg C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe
(verified) Windows® Internet Explorer c:\windows\syswow64\webcheck.dll

Browser plugins
(unsigned) ActiveX hosting plugin for Firefox C:\Program Files\Firefox ActiveX Plugin\npffax.dll
(unsigned) Alchemy® C:\Windows\Downloaded Program Files\FirstVwr.dll
(unsigned) CCViewer ActiveX Control Module C:\Windows\Downloaded Program Files\ccviewer.ocx
(unsigned) ProductView Lite Viewer C:\Windows\Downloaded Program Files\pvcadview.ocx
(unsigned) ProductView Resource Library C:\Windows\Downloaded Program Files\pvresenu.dll
(unsigned) Shockwave for Director C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll

(verified) AcroIEHelperShim Library c:\program files (x86)\common files\adobe\acrobat\activex\acroiehelpershim.dll
(verified) Adobe Acrobat C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll
(verified) Adobe Acrobat C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
(verified) Adobe PDF Toolbar for IE c:\program files (x86)\common files\adobe\acrobat\wcieactivex\acroiefavclient.dll
(verified) AdobeAAMDetect C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
(verified) Bitdefender QuickScan C:\Windows\Downloaded Program Files\qsax.dll
(verified) Bonjour C:\Program Files (x86)\Bonjour\mdnsNSP.dll
(verified) Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
(verified) Google Toolbar for Internet Explorer C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
(verified) Google Update C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll
(verified) Info-ZIP's UnZip Windows DLL C:\Windows\Downloaded Program Files\unzip32.dll
(verified) InstallShield Update Service C:\Windows\Downloaded Program Files\dwusplay.dll
(verified) InstallShield Update Service C:\Windows\Downloaded Program Files\dwusplay.exe
(verified) InstallShield Update Service C:\Windows\Downloaded Program Files\isusweb.dll
(verified) Java Deployment Toolkit C:\Windows\SysWOW64\npDeployJava1.dll
(verified) Java™ Platform SE 7 U17 C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
(verified) Java™ Platform SE 7 U17 C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
(verified) Java™ Platform SE 7 U17 C:\Program Files (x86)\Java\jre7\bin\ssv.dll
(verified) LMIGuardianDll C:\Windows\Downloaded Program Files\CONFLICT.1\LMIGuardianDll.dll
(verified) LMIGuardianDll C:\Windows\Downloaded Program Files\LMIGuardianDll.dll
(verified) LMIGuardianEvt C:\Windows\Downloaded Program Files\CONFLICT.1\LMIGuardianEvt.dll
(verified) LMIGuardianEvt C:\Windows\Downloaded Program Files\LMIGuardianEvt.dll
(verified) LMIGuardianSvc C:\Windows\Downloaded Program Files\CONFLICT.1\LMIGuardian.exe
(verified) LMIGuardianSvc C:\Windows\Downloaded Program Files\LMIGuardian.exe
(verified) LMIProxyHelper.exe C:\Windows\Downloaded Program Files\CONFLICT.1\LMIProxyHelper.exe
(verified) LMIProxyHelper.exe C:\Windows\Downloaded Program Files\LMIProxyHelper.exe
(verified) LogMeIn, Inc. Remote Access Components C:\Windows\Downloaded Program Files\avutil-51.dll
(verified) LogMeIn, Inc. Remote Access Components C:\Windows\Downloaded Program Files\CONFLICT.1\avutil-51.dll
(verified) LogMeIn, Inc. Remote Access Components C:\Windows\Downloaded Program Files\CONFLICT.1\swscale-2.dll
(verified) LogMeIn, Inc. Remote Access Components C:\Windows\Downloaded Program Files\swscale-2.dll
(verified) LogMeIn, Inc. Remote Access Components C:\Windows\Downloaded Program Files\CONFLICT.1\LMIBroker.exe
(verified) LogMeIn, Inc. Remote Access Components C:\Windows\Downloaded Program Files\LMIBroker.exe
(verified) Microsoft Office 2010 C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL
(verified) Microsoft Office 2010 C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL
(verified) Microsoft Office 2010 c:\program files (x86)\microsoft office\office14\urlredir.dll
(verified) Microsoft Support Diagnostic Tool C:\Windows\Downloaded Program Files\MSDCode.DLL
(verified) Microsoft® Windows Live Login Helper c:\program files (x86)\common files\microsoft shared\windows live\windowslivelogin.dll
(verified) Microsoft® Windows® Operating System C:\Windows\System32\mswsock.dll
(verified) Microsoft® Windows® Operating System C:\Windows\system32\napinsp.dll
(verified) Microsoft® Windows® Operating System C:\Windows\system32\NLAapi.dll
(verified) Microsoft® Windows® Operating System C:\Windows\system32\pnrpnsp.dll
(verified) Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll
(verified) npitunes.dll C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
(verified) RACtrl.dll C:\Windows\Downloaded Program Files\CONFLICT.1\RACtrl.dll
(verified) RACtrl.dll C:\Windows\Downloaded Program Files\RACtrl.dll
(verified) Silverlight Plug-In c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll
(verified) WebEx Download Module C:\Windows\Downloaded Program Files\ieatgpc.dll
(verified) Windows Live® Photo Gallery C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
(verified) Windows® Internet Explorer C:\Windows\SysWOW64\ieframe.dll
(verified) Yahoo Application State Plugin C:\Program Files (x86)\Yahoo!\Shared\npYState.dll
(verified) Yahoo! Single Instance for Mail c:\program files (x86)\yahoo!\companion\installs\cpn\ytsingleinstance.dll
(verified) Yahoo! Toolbar c:\program files (x86)\yahoo!\companion\installs\cpn\yt.dll

MD5: 4d5d968fe6ae6bf94a807f73f7ff6b3d C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
MD5: 9cbc05b2044af8f85d7ca39f3588db06 C:\Program Files (x86)\Brother\ControlCenter3\brccimg.dll
MD5: 25fc19badf78b7fb1d835aac4b0b91a5 C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
MD5: c8da4746d1c87fe3e5dcc3ce86218b62 C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
MD5: baddb92180ec4ad9305527b82c3a3952 C:\Program Files (x86)\Gateway Photo Frame\IOIUSBLib.dll
MD5: e8cb18769f6abf4c4092dafd720a7d01 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\ENU\IAAMon_ENU.dll
MD5: 79ea8dc31d5c22ad7d183de881c0ca7b C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\QBDBMgrN.exe
MD5: f34291e4305e1d2ddc71c86b55ca4204 C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\qbFAM11AddIn.dll
MD5: f5f89223674d5fd4dd0e6017397e17a7 C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\qbxladin.dll
MD5: be898323af20674c1adb083b5b30e9fb C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\SSCE5232.dll
MD5: 8dda2b606279753601f9415da503ca63 C:\Program Files (x86)\QuickTime\QTTask.exe
MD5: 658e395b175344c51279fcdec7cf2a60 C:\Program Files\Firefox ActiveX Plugin\npffax.dll
MD5: 79ea8dc31d5c22ad7d183de881c0ca7b C:\PROGRA~2\Intuit\QUICKB~2.0\QBDBMgrN.exe
MD5: 60e452f35b0d5c810367c25a17a6a9cb C:\UPS\WSTD\DBSupportEngine.ocx
MD5: 32fdbeb42f0cc656a986a92ecba00865 C:\UPS\WSTD\InteropFrameworkCore.dll
MD5: cd175dd20ebbfb5fbba0cd251ea79e3c C:\UPS\WSTD\PolicyMgr\Microsoft.ApplicationBlocks.Data.dll
MD5: 4f3c4f3ba76d682a86012c684616b48b C:\UPS\WSTD\PolicyMgr\UPS.Components.LANPolicyManager.dll
MD5: f401b6ff4e61f184047e0061baaaabc2 C:\UPS\WSTD\PolicyMgr\UPS.Components.NA1MessengerServer.dll
MD5: 512c4be82780c16818cb33afbfb70461 C:\UPS\WSTD\PolicyMgr\UPS.Components.PolicyActions.dll
MD5: 8318400f65ea5360c6a8037014c722dc C:\UPS\WSTD\PolicyMgr\UPS.Components.PolicyHolder.dll
MD5: 655f876489ccc26bd12e500423b8a683 C:\UPS\WSTD\UPS.Interop.ManagedProxies.dll
MD5: a087dedbac44833df43d0b3bc9ab4dd6 C:\UPS\WSTD\UPS.InteropFramework.Core.dll
MD5: ddb47dc612dd956e2497d1f2e81ae179 C:\UPS\WSTD\UPS.InteropFramework.Util.dll
MD5: 636717a6bb93d5e5a953b2d9243c8f4c C:\UPS\WSTD\UPSNA1Msgr.exe
MD5: 5824c6a21145849b8d2ded8a65c9f714 C:\UPS\WSTD\UPSResourceManager.dll
MD5: 9fbb235505d26d3d1d59efed240211cd C:\UPS\WSTD\wstdCommon.dll
MD5: dc57a8ee4356faca1d0a593be543bfba C:\UPS\WSTD\WSTDMessaging.exe
MD5: 72603549098ca5611e28d0b55277c679 C:\UPS\WSTD\wstdPldReminder.exe
MD5: 5434e18b933e03f274d8da59fda4c676 C:\Users\David Blankenship\AppData\Roaming\Dropbox\bin\icudt.dll
MD5: e9610e3e8ec4043767601f5f16c6d4ec C:\Users\David Blankenship\AppData\Roaming\Dropbox\bin\libcef.dll
MD5: 21bfa433415377c6c9e428202bdfa9f9 C:\Users\David Blankenship\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll
MD5: c3e39fb1398eee8e612c2fe53a9192ef C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
MD5: 21e110ff1c0e948860458bd7b692de13 C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll
MD5: ef982260a3102b065d94f1e5959ec8b9 C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\dd20416f723ee13ffb4173ec1afc4ec4\System.Data.ni.dll
MD5: 27e79a455ef80647f4f57fa3c2b09c94 C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll
MD5: bacd83a35760cd6281761f2f139c11e9 C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\01c6cb58745f397c9b7ccf3ab7bfc9cd\System.EnterpriseServices.ni.dll
MD5: 7765680e25e329708cb034b180cf9fcd C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\7ff638de44686eab4afaa8b3c8a9cfca\System.ServiceProcess.ni.dll
MD5: 8f1913ee046f16d263a793d53bc108db C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\536d704e93ffec9b54e4a0312fb5b996\System.Transactions.ni.dll
MD5: 9db9236e5f12c588246b372203054ba4 C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\a59cf850ee6b2a003167700b648ba9c7\System.Windows.Forms.ni.dll
MD5: 871f7f32e3441580138e61a4aa072df6 C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
MD5: 3518cb4e2d896cab53d5386f15ac0566 C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
MD5: 199c95db9a406ad7a248d2a1f30edd7e C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\506bcca8d286f754825f3f1b0bf64894\mscorlib.ni.dll
MD5: 4c0a6fd6b822ff2acd36ad32dcc91ec7 C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\3249b5065782afda9ed38b3796d96072\System.Configuration.ni.dll
MD5: 63def42d835530a83e6b89db9870f9fb C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\d8e2d3037c3d36f5a7c763970400e79c\System.Drawing.ni.dll
MD5: 9b8b5fd5ce0da1a278bf034fbcdbaf80 C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\a595bfbd401ddaea721588f5e88af1a9\System.Runtime.Remoting.ni.dll
MD5: 1c03a21c2bb9c248bf282bce11c8ce1d C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\0388b25703f1048b713f118b4891e2d4\System.ServiceProcess.ni.dll
MD5: 86ea604ba2db9722e3bc17eb69dae509 C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\be794c59743c08f79144dcb474736cdf\System.Windows.Forms.ni.dll
MD5: 4e297a0b77a665107a35e06fd3b7449e C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\130613a664d9a4237b5b22c3c80f6d96\System.Xml.ni.dll
MD5: e640bb7869e3b21f086cc7624b64bb00 C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84371136df209abcd5fbf89db89f2e97\System.ni.dll
MD5: a805db8b4f21a18bf627c3b10087a1c8 C:\Windows\Downloaded Program Files\ccviewer.ocx
MD5: 14a057174a9b8cd1565ca2ae25ebeb1b C:\Windows\Downloaded Program Files\FirstVwr.dll
MD5: 527ab474312e11a8a62828c51a5c7ab7 C:\Windows\Downloaded Program Files\pvcadview.ocx
MD5: 13b266963d0b747047d9be70b4ef6512 C:\Windows\Downloaded Program Files\pvresenu.dll
MD5: ae3e1bd0d6c6a9116b44b341b27b3aee C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
MD5: 38e1a82ea77e591245fd7487a7e32fe8 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\MSVCP80.dll
MD5: 2a617261b0de3b9ac1ee5f83cf1fd830 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\MSVCR80.dll
MD5: d34a527493f39af4491b3e909dc697ca C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcm90.dll

No file uploaded.

Scan finished - communication took 1 sec
Total traffic - 0.00 MB sent, 0.16 KB recvd
Scanned 738 files and modules - 33 seconds

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 16 posts

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I appreciate our help in this matter.

As far as any problems I am not seeing anything else at this time. Obviously I use Eset as my Virus Protection. In your opinion is it any good or something else you would recommend? Also is there a Registry Cleaner you would recommend?
  • 0



    Trusted Helper

  • Malware Removal
  • 2,524 posts

As far as any problems I am not seeing anything else at this time. Obviously I use Eset as my Virus Protection. In your opinion is it any good or something else you would recommend? Also is there a Registry Cleaner you would recommend?

If you have a paid subscription for ESET, then I would continue to use that. If you would like to try something else when the subscription runs out, I recommend the free Avast or Microsoft Security Essentials. As for registry cleaners, you should stay away from them. They will not increase system performance by any appreciable amount and are liable to make yours system unbootable in some cases. The temp file cleaner I recommend below should be sufficient.

Now for the best part,

Congratulations, Ren12 :). Your computer now appears to be clean. Please complete the followings steps to finalize the cleaning process.

It would be a good idea also to reset your firewall in case the malware opened any ports.

Please update these programs, as old versions pose a security risk.
  • Java

    WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
    See this article and this article.
    I would recommend that you completely uninstall Java unless you need it to run an important software.
    In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

    If you do need java, then you should definitely update to the latest version:

    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe, then click Remove JRE.
    • Run the built-in uninstallers for all copies of java listed
    • Click the Next button
    • Click the Next button again
    • Click the Java Manual Download link
    • A browser window will open with the Java download page
    • Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
    • Run the installer
    • Close JavaRa
  • Adobe Reader -> You can get the latest version here.

    I would recommend securing Adobe Reader against the latest exploits as follows:
    • Launch Adobe Reader.
    • Click on Edit and select Preferences.
    • On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
    • Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
    • Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
    • Click the OK button.

Uninstall Combofix:
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box.
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK.
  • Follow the prompts on the screen.
  • A message should appear confirming that ComboFix was uninstalled.

Clean up OTL:
  • Open OTL and select the "CleanUp" button.
  • Allow the computer to reboot.
  • Any logs or removal tools left over can be deleted now. If ESET is still installed, you can uninstall it from the "Programs and Features" menu in the control panel.

Delete possibly infected restore points. Your computer may have saved a restore point while it was infected, so we need to delete the old restore points and create a new, clean one.

First set up a new, clean restore point:
  • Open System by clicking the Start button, right-clicking Computer, and then clicking Properties.
  • In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Click the System Protection tab, and then click Create.
  • In the System Protection dialog box, type a description, and then click Create.

Then delete the old, infected ones:
  • Go Start > All Programs > Accessories > System Tools
  • Right click Disc Cleanup and select run as administrator
  • Then select the more options tab
  • Select system restore and shadow copies "Clean up"
  • Follow the prompts

Turn on UAC: You have UAC disabled on your computer. I would recommend turning it on, because it provides additional protection to keep malicious software from running on your computer with higher privileges. To turn it on, do the following:
  • Open User Account Control Settings by clicking the Start button, and then clicking Control Panel. In the search box, type uac, and then click Change User Account Control settings.
  • Move the slider to the default position, and then click OK. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

Empty temp files. I would recommend doing this every so often to free up some space on your computer.

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Ensure that Windows is always updated. Keeping Windows updated is very important to prevent security vulnerabilities. I recommend turning on automatic updates following the instructions below:
  • First, click on Start and click onAll Programs, then Windows Update.
  • Click on Change Settings in the left pane and then check the option for Automatic Updates.

Always ensure that your firewall and anti-virus program are updated and running. These are your first line of defense against infection.

Make sure that you keep all of your programs updated. Out-of-date programs can make your computer more vulnerable to infection. Software manufacturers release updates to fix security problems as they are discovered. Secunia Personal Software Inspector, free to download here, is a good program that will scan your computer looking for programs that need to be updated.

This article has good information about how computers get infected. You can read it for good tips on staying clean and safe.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I will do the remaining instructions as instructed and appreciate your help.
  • 0



    Trusted Helper

  • Malware Removal
  • 2,524 posts
Your welcome. Posted Image
  • 0




    Trusted Helper

  • Malware Removal
  • 2,524 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP