suite662

Hi MrC, I just checked w/my client. No more "Authentication Required" pop-up. Thank you. You may close this thread now.

R3 was first, then S1. AdwCleanerS1.txt AdwCleanerR3.txt

No "Authentication Required" pop-ups at financial institution websites. Thank you. You may close this thread.

Whoomp, there it is. ComboFix.txt

Good morning. Here are the logs. I did run AdwCleaner initially back on 7/2/13. AdwCleanerR1.txt AdwCleanerR2.txt

I guess I'm good to go? mbar-log-2013-07-08 (23-40-09).txt

Oh, this message popped up when ComboFix started: "The contents of folder C:\Windows\erdnt\Hiv-backup could not be completely deleted!"

Thanks, MrC & Crew. I will run it later tonight as I'm packing up from the office.

RK log RKreport0_S_07082013_162006.txt

Here it is. ComboFix.txt

Similar to my earlier post from today, I'd like to get the ball rolling on this similarly-infected PC. $20 donation posted for all of your hard work! Thank you. attach.txt dds.txt

All malware removed. Thanks again. mbar-log-2013-07-08 (14-13-20).txt mbar-log-2013-07-08 (14-41-53).txt system-log.txt

Thank you, MrC. attach.txt dds.txt RKreport0_S_07082013_134311.txt

Hello and good day to you. As always, your time, efforts, and help are greatly appreciated. As an IT tech, I've run the gamut of the following tools in attempts to rid this process - tzyoev.exe. The symptom is an "authentication required" pop-up window appears when the user logs onto a financial website. rkill, TDSS Killer, ComboFix, RogueKiller, HijackThis, MBAM Thank you. HKimball HijackThis.txt

Hi Jeff. Hope you enjoyed your weekend. I haven't had any problems reported to me and I'm wrapped up in other projects at this time. What other steps did you have in mind? Thank you.

Hey Jeff. I haven't had a chance to revisit the PC since last Friday. I'm pretty confident all is well now. I'll check one more time tomorrow. Remodeling, eh? That's always rewarding once everything is done. Best of luck to ya.

Thank you, Jeff. Here is the latest ComboFix log. Hope this is the final step. Have a great weekend. log.txt

Good morning. TDSSKiller.2.8.15.0_15.01.2013_12.57.28_log.txt

Thank you. TDSSKiller.2.8.15.0_15.01.2013_12.57.28_log.txt

Hi Jeff, After I ran ComboFix in Safe Mode, the PC rebooted into normal mode and produced a CF log. Unfortunately, I ran a simple Google search and it still redirected my search results. log.txt

Hi Jeff, Apologies for the delay. I hope you had a nice weekend. Thank you again for your patience. Here's the link.

Have I been cleansed of my infections? log.txt

Thank you, Jeff. aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software Run date: 2013-01-09 10:17:43 ----------------------------- 10:17:43.859 OS Version: Windows 5.1.2600 Service Pack 3 10:17:43.859 Number of processors: 1 586 0x401 10:17:43.859 ComputerName: BACKOFFICE UserName: 10:17:44.125 Initialize success 10:27:18.546 AVAST engine defs: 13010900 10:27:29.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e 10:27:29.062 Disk 0 Vendor: Maxtor_6Y080M0 YAR51HW0 Size: 76293MB BusType: 3 10:27:29.093 Disk 0 MBR read successfully 10:27:29.093 Disk 0 MBR scan 10:27:29.140 Disk 0 Windows XP default MBR code 10:27:29.156 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63 10:27:29.187 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76253 MB offset 64260 10:27:29.187 Disk 0 scanning sectors +156232125 10:27:29.265 Disk 0 scanning C:\WINDOWS\system32\drivers 10:27:38.765 Service scanning 10:27:41.734 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32 10:27:52.421 Service W32Serv C:\WINDOWS\msisear.exe **INFECTED** Win32:Malware-gen 10:27:54.843 Modules scanning 10:27:58.421 Disk 0 trace - called modules: 10:27:58.484 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x86d7eec9]<< 10:27:58.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f79238] 10:27:58.562 3 CLASSPNP.SYS[f779dfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f78b00] 10:27:58.859 AVAST engine scan C:\WINDOWS 10:28:02.437 File: C:\WINDOWS\msisear.exe **INFECTED** Win32:Malware-gen 10:28:04.671 AVAST engine scan C:\WINDOWS\system32 10:28:13.859 File: C:\WINDOWS\system32\cscrtvdm.dll **INFECTED** Win32:Dropper-gen [Drp] 10:29:59.500 AVAST engine scan C:\WINDOWS\system32\drivers 10:30:13.468 AVAST engine scan C:\Documents and Settings\Administrator 10:30:27.000 AVAST engine scan C:\Documents and Settings\All Users 10:30:42.781 Scan finished successfully 10:30:57.187 Disk 0 MBR has been saved successfully to "E:\MBR.dat" 10:30:57.781 The log file has been saved successfully to "E:\aswMBR.txt"

First off, thank you for helping all of us poor infected souls! It is truly appreciated. 11/28/2012 - Removed 171 malware instances, including, but not limited to, Exploit.Drop.GS, PUM.Disabled.SecurityCenter, PUM.Hijack.TaskManager, PUP.MyWebSearch, RootKit.0Access, Trojan.0Access via MBAM. Repaired and re-registered WMI due to "wmiprvse.exe error. The isntruction at "0x7c910f48" referenced memory at "0x00080179". The memory could not be "written"." <http://windowsxp.mvps.org/repairwmi.htm>. 1/7/2013 - Removed 61 malware files and 7 infected registry keys, including: PUP.FunMoods, PUP.MyWebSearch, RootKit.0Access, RootKit.Zaccess, Trojan.0Access, Trojan.Agent, Trojan.Dropper.BCMiner, Trojan.FakeAlert, Trojan.FakeMS.Ran, Trojan.Reveton via MBAM. Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2013.01.07.11 Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking) Internet Explorer 8.0.6001.18702 Administrator :: BACKOFFICE [administrator] 1/7/2013 3:29:05 PM mbam-log-2013-01-07 (15-29-05).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 295573 Time elapsed: 42 minute(s), 47 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 7 HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> Quarantined and deleted successfully. HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully. HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully. HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} (PUP.Funmoods) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully. HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 61 C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004434.exe (PUP.FunMoods) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004430.dll (PUP.FunMoods) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004431.dll (PUP.FunMoods) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.FunMoods) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004429.dll (PUP.FunMoods) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Local Settings\Application Data\funmoods-speeddial_sf.crx (PUP.FunMoods) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Local Settings\temp\DM\hitman-pro_049\software\FunMoodsV2.2.exe (PUP.FunMoods) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004428.dll (PUP.Funmoods) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002166.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002167.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002184.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002185.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002186.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002183.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002174.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002175.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002176.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002177.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002178.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002179.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002180.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002168.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002169.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002170.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002171.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002172.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002173.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002188.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002161.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002162.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002163.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002164.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002165.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002157.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002181.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002182.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002160.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002158.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002159.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002189.exe (RootKit.0Access) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\000000cb.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\80000032.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Local Settings\temp\CE17HVG4.exe (Rootkit.0Access) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\00000004.@.vir (Rootkit.Zaccess) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\n.vir (Trojan.0Access) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\80000000.@.vir (Trojan.0Access) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\ASSEMBLY\GAC\Desktop.ini.vir (Trojan.0access) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002191.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Local Settings\temp\DSAAVFT.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Local Settings\temp\~!#3EA.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002190.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP47\A0007764.exe (Trojan.FakeAV) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002193.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002213.dll (Trojan.FakeMS.Ran) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Documents and Settings\Will\Application Data\dllexp.dll.vir (Trojan.FakeMS.Ran) -> Quarantined and deleted successfully. C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\60\6c95f73c-274c1398 (Trojan.FakeMS.Ran) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002156.exe (Trojan.FakeMS.Ran) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002194.dll (Trojan.Reveton) -> Quarantined and deleted successfully. (end) DDS.txt Attach.txt