goldrush9560

Here are the logs from fobar. FRST.txt Addition.txt

So I got redirected to a page with ipv4 in the url and a captcha saying strange searches had been coming out of my computer network. So I ran malwarebytes and r-kill as well as security essentials, all of which came up with nothing. ADWcleaner said there were some things, so I cleaned that. All done in safe mode. However when I boot my computer It takes forever to start up, and certain graphical settings are completely undone and the screen goes white for a second. After ADW came up positive with stuff Im worried that I have a serious infection.

Ok, ill let you know if anything happens. Thanks for your patience and help so far by the way.

Ran it, said it hadnt found the infection on the computer.

Oh, ok then. In that case, each of these have some or all of the same symptoms, namely mbam not finding the virus, constant blocked sites primarily e9967 and some server, multiple host dll's running, high cpu consumption, internet explorer crashing despite not being open, and a return of virus symptoms despite successful removal. https://forums.malwarebytes.org/index.php?/topic/162981-syswow64-infection-but-nothing-comes-up-in-scans/ https://forums.malwarebytes.org/index.php?/topic/162916-multiple-malicious-websites-blocked-always-mentions-dllhostexe/ https://forums.malwarebytes.org/index.php?/topic/162857-syswow64-infected/ https://forums.malwarebytes.org/index.php?/topic/163003-cpu-usage-up-internet-slow-malwarebytes-not-finding/ https://forums.malwarebytes.org/index.php?/topic/162938-constant-malicious-website-blocked-notifications-no-threats-detected/ https://forums.malwarebytes.org/index.php?/topic/162990-multiple-dllhostexe-running-security-settings-changed/ https://forums.malwarebytes.org/index.php?/topic/162942-cwindowssyswow64dllhostexe-issue/ https://forums.malwarebytes.org/index.php?/topic/162898-e9967acom-syswow64dll/ https://forums.malwarebytes.org/index.php?/topic/162940-constant-malicious-website-blocked-popups/ https://forums.malwarebytes.org/index.php?/topic/162824-e9967acom-syswow64dll-running-getting-crazy-hits/ https://forums.malwarebytes.org/index.php?/topic/162939-syswow64-malicious-website-blocked/ I'll also include my own original help post, thought to be resolved, since the symptoms are more or less the same as well. https://forums.malwarebytes.org/index.php?/topic/162524-trojan-infection/ I found no such folder, and Chrome I suppose, but its happened without a browser being open as far as I am aware. However, Internet explorer will stop working despite me never touching the program. The logs for each of the programs you mentioned are included. Rkill.txt SystemLook.txt

Sorry didnt mean to speak out of turn or anything. Do you actually want me to show a thread? Because I dont really know what Im talking about. Again sorry didnt think before speaking

Ok, here are the FRST logs. Ive noticed a lot of threads with very similar symptoms popping up, not a huge fan of the idea of a new rootkit. Addition.txt FRST.txt

Im very sorry for all these posts, but just one more piece of information. After this last time, I noticed that internet explorer stopped working when the attack began, despite not being active. I uninstalled internet explorer and ran npe, restarting the computer (I didnt actually do anything with npe, just ran a scan). When the computer came back on, it was running fine, mbam wasnt freaking out and all other symptoms were absent.

Nope, its happening right now

Sorry, one last thing. I think the infection started when I plugged in an external drive used in cleaning the families public computer. Someone came in later and found that I missed a self replicating virus that was on that computer, hiding in the temp files. Is it possible that we already got it? If so, we could just try waiting a little, see if any symptoms reappear. Sorry if im not being helpful, just trying to provide any context I may have missed.

So Ive run NPE. As far as I can tell, none of these are malicious. I recognize all these programs, either as rainmeter functions or modding tools. Also it hit up combofix. The only thing that worries me Is that it registered "Registry System Settings Bad". I looked around but there seems to be a lot of ambiguity over whether or not this is a false positive when it comes up. I included the logs In case you want to view them. It comes in xml, I also added a .txt buuut that might not be useful in its current form. How should I proceed? Info20141231095112.xml Info20141231095112.txt

Should I include the scans logs?

Here are the logs. I may have missed a few, I can go back and grab them again if you need more log 1.txt log 2.txt log 3.txt log 4.txt log 5.txt log 6.txt log 7.txt log 8.txt log 9.txt log 10.txt log 11.txt

I have run all of these for all users yes. But ever say 12 hours I never the less explode with warnings from malwarebytes that the same programs that were being called in by poweliks when I had the first time are attempting to invade my computer again, and my computer slows down immensely and I begin to see dll.host.exe pop up as a running process. It doesnt happen constantly, only after a great many hours of run time. Also my computers visual settings get altered and start up times slow immensely until after extensive cleaning. Is there something else that could possibly be causing these symptoms? How should I proceed at this point?

Ok, finally finished. Heres the logs. TDSSKiller 21:14:07.0161 0x0bf8 TDSS rootkit removing tool 3.0.0.42 Dec 12 2014 00:35:2021:14:13.0147 0x0bf8 ============================================================21:14:13.0147 0x0bf8 Current date / time: 2014/12/29 21:14:13.014721:14:13.0147 0x0bf8 SystemInfo:21:14:13.0147 0x0bf8 21:14:13.0147 0x0bf8 OS Version: 6.1.7601 ServicePack: 1.021:14:13.0147 0x0bf8 Product type: Workstation21:14:13.0163 0x0bf8 ComputerName: AARON-PC21:14:13.0163 0x0bf8 UserName: Aaron21:14:13.0163 0x0bf8 Windows directory: C:\Windows21:14:13.0163 0x0bf8 System windows directory: C:\Windows21:14:13.0163 0x0bf8 Running under WOW6421:14:13.0163 0x0bf8 Processor architecture: Intel x6421:14:13.0163 0x0bf8 Number of processors: 821:14:13.0163 0x0bf8 Page size: 0x100021:14:13.0163 0x0bf8 Boot type: Normal boot21:14:13.0163 0x0bf8 ============================================================21:14:17.0927 0x0bf8 KLMD registered as C:\Windows\system32\drivers\44791621.sys21:14:18.0317 0x0bf8 System UUID: {93923562-DC2C-0A35-2934-65ADB2EE7453}21:14:19.0084 0x0bf8 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0960E00 ( 931.51 Gb ), SectorSize: 0x200, Cylinders: 0x1DB00, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x0000004021:14:19.0084 0x0bf8 Drive \Device\Harddisk1\DR1 - Size: 0x2A1F00000 ( 10.53 Gb ), SectorSize: 0x200, Cylinders: 0x55E, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x0000004021:14:19.0100 0x0bf8 ============================================================21:14:19.0100 0x0bf8 \Device\Harddisk0\DR0:21:14:19.0100 0x0bf8 MBR partitions:21:14:19.0100 0x0bf8 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x155F00021:14:19.0100 0x0bf8 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1573000, BlocksNum 0x7319100021:14:19.0100 0x0bf8 \Device\Harddisk1\DR1:21:14:19.0100 0x0bf8 MBR partitions:21:14:19.0100 0x0bf8 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x150E80021:14:19.0100 0x0bf8 ============================================================21:14:19.0100 0x0bf8 C: <-> \Device\Harddisk0\DR0\Partition221:14:19.0100 0x0bf8 D: <-> \Device\Harddisk1\DR1\Partition121:14:19.0100 0x0bf8 ============================================================21:14:19.0100 0x0bf8 Initialize success21:14:19.0100 0x0bf8 ============================================================21:15:10.0404 0x18c8 KLMD registered as C:\Windows\system32\drivers\87231070.sys21:15:12.0902 0x18c8 Deinitialize success There was a second log, it was immense. Combofix also seemed incredibly large.TDSSKiller.3.0.0.42_29.12.2014_21.17.31_log.txt ComboFix.txt

Ok. Also I got system restore up. Ill take care of those links and get back to you.

Hi, im sorry, I know I closed this but as it turns out im still having the issues. I dont know if its too late on this topic but I need the help after all. Should I run the scans mentioned before?

I havent had any issues for a while now, and some other measure have been taken to clean the computer, I can create a system restore point after additional cleaning so whatever was causing that issue is done. Im going to operate for now under the belief that things are taken care of, You can close this now. Thanks for the help, and sorry I feel like I lead everyone on a bit of a goose chase.

I was never able to get system restore to turn back on. Ill see if I can figure out why it isnt going on.

Right now im perfectly fine. I have managed to get through each attack attempt without serious or long lasting issue. My concern is that I have some massive exploit, wildly outdated software, something that keeps letting these in. I dont do any risky web surfing, so the fact that I keep getting trojans is baffling to me and I have no idea where to begin. I dont know if its malware, or an exploit, or what and I need helping figuring out how these trojans keep getting in, even if they get shut down before anything happens.

I wasnt able to turn system restore on. In the first place I find it strange that it was off. "Could not apply the settings for the following reason: The filename, directory name, or volume label syntax is incorrect. (0x8007007b)" Additionally I dont use any P2P software, too scared of the malware. In fact if you find any evidence of it please let me know because its not supposed to be there. MBAM log Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 12/27/2014Scan Time: 11:05:08 AMLogfile: MBAM log.txtAdministrator: Yes Version: 2.00.4.1028Malware Database: v2014.12.27.06Rootkit Database: v2014.12.23.02License: PremiumMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: Enabled OS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: Aaron Scan Type: Threat ScanResult: CompletedObjects Scanned: 379306Time Elapsed: 9 min, 31 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 0(No malicious items detected) RogueKiller' RogueKiller V10.1.0.0 (x64) [Dec 11 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Aaron [Administrator]Mode : Scan -- Date : 12/27/2014 11:28:53 ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 0 ¤¤¤ ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 35 ¤¤¤[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤+++++ PhysicalDrive0: WDC WD10JPVX-75 SCSI Disk Device +++++--- User ---[MBR] a856e6ca17efab1bcc91d1d77f8f3981[bSP] 8d77050f4b41abe8ac791719f39290e6 : HP MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 10942 MB2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 22491136 | Size: 942882 MBUser = LL1 ... OKError reading LL2 MBR! ([1] Incorrect function. ) +++++ PhysicalDrive1: LITEONIT DMT-80 SCSI Disk Device +++++--- User ---[MBR] a119863d300306e89cff6b501d614b24[bSP] 3c6283bf2791e32458320daba0f0e9f7 : Windows Vista/7/8 MBR CodePartition table:0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 10781 MBUser = LL1 ... OKError reading LL2 MBR! ([1] Incorrect function. ) ============================================RKreport_DEL_10162014_211538.log - RKreport_DEL_10182014_014012.log - RKreport_DEL_10182014_130624.log - RKreport_DEL_12202014_153859.logRKreport_DEL_12202014_153907.log - RKreport_DEL_12202014_153913.log - RKreport_DEL_12202014_153923.log - RKreport_DEL_12272014_003047.logRKreport_SCN_10162014_211128.log - RKreport_SCN_10162014_211718.log - RKreport_SCN_10182014_013950.log - RKreport_SCN_10182014_130530.logRKreport_SCN_12202014_153811.log - RKreport_SCN_12272014_002806.log - RKreport_SCN_12272014_112638.log Addition.txt FRST.txt

Hello, I posted here a few days ago looking for help with a trojan infection, which turned out to be poweliks, which was completely successful in removal. Since then, i have been attacked by poweliks again as well as some chrome based trojan. I dont know how I am getting these, I dont even know where to begin. Each has been removed with relative ease, but it seems every day theres a new attack. I need help permanently blocking these, or at least identifying where they are coming from in the first place. Thank you for any help.

Amazing, thank you for the help. Ill need to take care of that external hard drive, but thats a whole different issue. Im just glad my pc is safe for now. Thank you for the help!

csrss, a conhost, bttray, nvstreamsvc.exe, vnnsvc, nvxdsync, three ravbg64's, and winlogon

No problems, malwarebytes isnt reporting any attacks pc is running at 100% and im in full control. Only thing is some of the processes I cant check the properties in task manager, but no symptoms at the very least. All scans from all programs coming up clean.