suite662

Similar to my earlier post from today, I'd like to get the ball rolling on this similarly-infected PC. $20 donation posted for all of your hard work! Thank you.

attach.txt

dds.txt

July 8, 2013

All malware removed. Thanks again.

mbar-log-2013-07-08 (14-13-20).txt

mbar-log-2013-07-08 (14-41-53).txt

system-log.txt

July 8, 2013

Thank you, MrC.

attach.txt

dds.txt

RKreport0_S_07082013_134311.txt

July 8, 2013

Hello and good day to you. As always, your time, efforts, and help are greatly appreciated.

As an IT tech, I've run the gamut of the following tools in attempts to rid this process - tzyoev.exe. The symptom is an "authentication required" pop-up window appears when the user logs onto a financial website.

rkill, TDSS Killer, ComboFix, RogueKiller, HijackThis, MBAM

Thank you.

HKimball HijackThis.txt

January 28, 2013

Hi Jeff. Hope you enjoyed your weekend. I haven't had any problems reported to me and I'm wrapped up in other projects at this time. What other steps did you have in mind? Thank you.

January 21, 2013

Hey Jeff. I haven't had a chance to revisit the PC since last Friday. I'm pretty confident all is well now. I'll check one more time tomorrow.

Remodeling, eh? That's always rewarding once everything is done. Best of luck to ya.

January 18, 2013

Thank you, Jeff. Here is the latest ComboFix log. Hope this is the final step. Have a great weekend.

log.txt

January 16, 2013

Good morning.

TDSSKiller.2.8.15.0_15.01.2013_12.57.28_log.txt

January 15, 2013

Thank you.

TDSSKiller.2.8.15.0_15.01.2013_12.57.28_log.txt

January 15, 2013

Hi Jeff,

After I ran ComboFix in Safe Mode, the PC rebooted into normal mode and produced a CF log. Unfortunately, I ran a simple Google search and it still redirected my search results.

log.txt

January 14, 2013

Hi Jeff,

Apologies for the delay. I hope you had a nice weekend. Thank you again for your patience.

Here's the link.

January 10, 2013

Have I been cleansed of my infections?

log.txt

January 9, 2013

Thank you, Jeff.

Run date: 2013-01-09 10:17:43

-----------------------------

10:17:43.859 OS Version: Windows 5.1.2600 Service Pack 3

10:17:43.859 Number of processors: 1 586 0x401

10:17:43.859 ComputerName: BACKOFFICE UserName:

10:17:44.125 Initialize success

10:27:18.546 AVAST engine defs: 13010900

10:27:29.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

10:27:29.062 Disk 0 Vendor: Maxtor_6Y080M0 YAR51HW0 Size: 76293MB BusType: 3

10:27:29.093 Disk 0 MBR read successfully

10:27:29.093 Disk 0 MBR scan

10:27:29.140 Disk 0 Windows XP default MBR code

10:27:29.156 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63

10:27:29.187 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76253 MB offset 64260

10:27:29.187 Disk 0 scanning sectors +156232125

10:27:29.265 Disk 0 scanning C:\WINDOWS\system32\drivers

10:27:38.765 Service scanning

10:27:41.734 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32

10:27:52.421 Service W32Serv C:\WINDOWS\msisear.exe **INFECTED** Win32:Malware-gen

10:27:54.843 Modules scanning

10:27:58.421 Disk 0 trace - called modules:

10:27:58.484 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x86d7eec9]<<

10:27:58.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f79238]

10:27:58.562 3 CLASSPNP.SYS[f779dfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f78b00]

10:27:58.859 AVAST engine scan C:\WINDOWS

10:28:02.437 File: C:\WINDOWS\msisear.exe **INFECTED** Win32:Malware-gen

10:28:04.671 AVAST engine scan C:\WINDOWS\system32

10:28:13.859 File: C:\WINDOWS\system32\cscrtvdm.dll **INFECTED** Win32:Dropper-gen [Drp]

10:29:59.500 AVAST engine scan C:\WINDOWS\system32\drivers

10:30:13.468 AVAST engine scan C:\Documents and Settings\Administrator

10:30:27.000 AVAST engine scan C:\Documents and Settings\All Users

10:30:42.781 Scan finished successfully

10:30:57.187 Disk 0 MBR has been saved successfully to "E:\MBR.dat"

10:30:57.781 The log file has been saved successfully to "E:\aswMBR.txt"

January 8, 2013

First off, thank you for helping all of us poor infected souls! It is truly appreciated.

11/28/2012 - Removed 171 malware instances, including, but not limited to, Exploit.Drop.GS, PUM.Disabled.SecurityCenter, PUM.Hijack.TaskManager, PUP.MyWebSearch, RootKit.0Access, Trojan.0Access via MBAM. Repaired and re-registered WMI due to "wmiprvse.exe error. The isntruction at "0x7c910f48" referenced memory at "0x00080179". The memory could not be "written"." <http://windowsxp.mvps.org/repairwmi.htm>.

1/7/2013 - Removed 61 malware files and 7 infected registry keys, including: PUP.FunMoods, PUP.MyWebSearch, RootKit.0Access, RootKit.Zaccess, Trojan.0Access, Trojan.Agent, Trojan.Dropper.BCMiner, Trojan.FakeAlert, Trojan.FakeMS.Ran, Trojan.Reveton via MBAM.

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.07.11

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.18702

Administrator :: BACKOFFICE [administrator]

1/7/2013 3:29:05 PM

mbam-log-2013-01-07 (15-29-05).txt

Scan type: Full scan (C:\|)

Scan options disabled: P2P

Objects scanned: 295573

Time elapsed: 42 minute(s), 47 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 7

HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj (PUP.FunMoods) -> Quarantined and deleted successfully.

HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 61

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004434.exe (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004430.dll (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004431.dll (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cjpglkicenollcignonpgiafdgfeehoj_0.localstorage (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004429.dll (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Local Settings\Application Data\funmoods-speeddial_sf.crx (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Local Settings\temp\DM\hitman-pro_049\software\FunMoodsV2.2.exe (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004428.dll (PUP.Funmoods) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002166.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002167.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002184.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002185.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002186.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002183.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002174.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002175.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002176.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002177.DLL (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002178.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002179.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002180.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002168.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002169.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002170.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002171.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002172.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002173.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002188.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002161.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002162.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002163.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002164.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002165.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002157.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002181.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002182.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002160.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002158.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002159.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002189.exe (RootKit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\000000cb.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\80000032.@.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Local Settings\temp\CE17HVG4.exe (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\00000004.@.vir (Rootkit.Zaccess) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\n.vir (Trojan.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\80000000.@.vir (Trojan.0Access) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\ASSEMBLY\GAC\Desktop.ini.vir (Trojan.0access) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002191.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Local Settings\temp\DSAAVFT.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Local Settings\temp\~!#3EA.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002190.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$cb647808df4e439ef99fb493984ac6bb\U\00000008.@.vir (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP47\A0007764.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002193.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002213.dll (Trojan.FakeMS.Ran) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\Documents and Settings\Will\Application Data\dllexp.dll.vir (Trojan.FakeMS.Ran) -> Quarantined and deleted successfully.

C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\60\6c95f73c-274c1398 (Trojan.FakeMS.Ran) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002156.exe (Trojan.FakeMS.Ran) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0002194.dll (Trojan.Reveton) -> Quarantined and deleted successfully.

(end)

DDS.txt

Attach.txt

Events

Profiles

Forums

Posts posted by suite662

Important Information