Jump to content

SuperG

Members
  • Posts

    8
  • Joined

  • Last visited

Everything posted by SuperG

  1. Weird, I thought I posted this earlier today. Here are the results: Results of screen317's Security Check version 0.99.89 Windows 7 x86 (UAC is enabled) Out of date service pack!! Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! avast! Antivirus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Java 7 Update 60 Java version out of Date! Adobe Flash Player 11.7.700.169 Flash Player out of Date! Mozilla Firefox 31.0 Firefox out of Date! ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbam.exe Malwarebytes Anti-Malware mbamscheduler.exe Alwil Software Avast5 AvastSvc.exe Alwil Software Avast5 AvastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log``````````````````````
  2. Malwarebytes found something in the Windows activation folder that it quarantined. Otherwise it seems quiet.
  3. It's been quiet. I'll watch it again in the morning and report back. Thanks for the fix files! I think you got it. More in the AM.
  4. I have not put it back on the network yet, but when I went to task manager after all this and marked "Show processes from all users" I saw (2) dllhost.exe COM surrogate items that rapidly vanished. I suspect if I plug this in they will come back. Let me test it. They show up after reboot but again disappear when I show all user processes. I'm going to give this a bit to simmer. Should I re-run anything to check? FRST? Thank you.
  5. In case anybody is wondering...McAfee seems to think ComboFix is Malware itself and will delete the download. Had to go to a 3rd computer. (infected one is still not connected to anything) ComboFix.txt: ComboFix 14-10-29.01 - Barry 10/30/2014 20:13:52.5.2 - x86 Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3567.2485 [GMT -5:00] Running from: c:\users\Barry\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B} SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\TEMP\jna5572854781856955704.dll . . ((((((((((((((((((((((((( Files Created from 2014-09-28 to 2014-10-31 ))))))))))))))))))))))))))))))) . . 2014-10-31 01:19 . 2014-10-31 01:21 -------- d-----w- c:\users\Barry\AppData\Local\temp 2014-10-31 01:19 . 2014-10-31 01:19 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2014-10-31 01:19 . 2014-10-31 01:19 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp 2014-10-31 01:19 . 2014-10-31 01:19 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-10-29 05:52 . 2014-10-29 05:55 -------- d-----w- C:\AdwCleaner 2014-10-29 05:47 . 2014-10-29 05:47 -------- d-----w- c:\program files\VS Revo Group 2014-10-29 04:32 . 2014-10-31 00:29 -------- d-----w- C:\FRST 2014-10-29 03:56 . 2014-10-30 01:20 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-10-29 03:56 . 2014-10-29 03:56 -------- d-----w- c:\program files\Malwarebytes Anti-Malware 2014-10-29 03:56 . 2014-10-29 03:56 -------- d-----w- c:\programdata\Malwarebytes 2014-10-29 03:56 . 2014-10-01 16:11 51928 ----a-w- c:\windows\system32\drivers\mwac.sys 2014-10-29 03:56 . 2014-10-01 16:11 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-10-29 03:56 . 2014-10-01 16:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-08-04 15:58 . 2010-02-08 02:34 414520 ----a-w- c:\windows\system32\drivers\aswsp.sys 2014-08-04 15:58 . 2014-08-04 15:58 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys 2014-08-04 15:58 . 2014-08-04 15:58 43152 ----a-w- c:\windows\avastSS.scr 2014-08-04 15:58 . 2014-01-10 02:53 71944 ----a-w- c:\windows\system32\drivers\aswstm.sys 2014-08-04 15:58 . 2014-01-10 02:52 81768 ----a-w- c:\windows\system32\drivers\aswRdr2.sys 2014-08-04 15:58 . 2014-01-10 02:51 779536 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2014-08-04 15:58 . 2014-01-10 02:51 192352 ----a-w- c:\windows\system32\drivers\aswVmm.sys 2014-08-04 15:58 . 2014-01-10 02:51 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys 2014-08-04 15:58 . 2010-02-08 02:34 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2014-08-04 15:58 . 2010-02-08 02:34 276432 ----a-w- c:\windows\system32\aswBoot.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2014-08-04 15:58 578240 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\Barry\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\Barry\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2012-11-13 23:32 129272 ----a-w- c:\users\Barry\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504] "EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE" [2011-04-24 219008] "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2014-01-17 543432] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-11 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-11 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-11 150552] "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088] "EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328] "FUFAXRCV"="c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2011-03-09 495616] "FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2011-03-09 856064] "NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-14 113288] "AvastUI.exe"="c:\program files\Alwil Software\Avast5\AvastUI.exe" [2014-08-04 4085896] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-05-07 256896] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE" [2011-04-24 219008] "EPLTarget\P0000000000000001"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHWA.EXE" [2011-04-24 219008] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ CrashPlan Tray.lnk - c:\program files\CrashPlan\CrashPlanTray.exe [2013-2-21 209920] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave1"=wdmaud.drv . R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-06-28 14624] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2014-01-22 375120] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x] R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-10-01 968504] R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088] R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-10-01 51928] R4 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-10-01 1871160] S0 aswRvrt;avast! Revert; [x] S0 aswVmm;avast! VM Monitor; [x] S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-08-04 779536] S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-08-04 414520] S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2011-04-25 65584] S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-08-04 24184] S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-08-04 67824] S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-08-04 71944] S2 CrashPlanService;CrashPlan Backup Service;c:\program files\CrashPlan\CrashPlanService.exe [2013-02-22 152576] S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-06-09 521600] S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-01-08 161536] S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2009-03-02 5120] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-09-12 414496] S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008] S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-07-16 2673064] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-10-01 23256] . . Contents of the 'Scheduled Tasks' folder . 2014-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4056181430-203973226-4140590726-1000Core.job - c:\users\Barry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 19:30] . 2014-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4056181430-203973226-4140590726-1000UA.job - c:\users\Barry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 19:30] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.0.1 DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB FF - ProfilePath - c:\users\Barry\AppData\Roaming\Mozilla\Firefox\Profiles\jftl7969.default\ . . ------- File Associations ------- . .reg=Regedit.Document . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(5748) c:\users\Barry\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\program files\Sandboxie\SbieSvc.exe c:\program files\NVIDIA Corporation\Display\nvxdsync.exe c:\windows\system32\nvvsvc.exe c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\windows\system32\taskhost.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\windows\system32\msiexec.exe c:\windows\system32\vssvc.exe c:\windows\system32\conhost.exe c:\program files\Citrix\ICA Client\wfcrun32.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\NVIDIA Corporation\Display\nvtray.exe c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe c:\windows\system32\sppsvc.exe . ************************************************************************** . Completion time: 2014-10-30 20:23:16 - machine was rebooted ComboFix-quarantined-files.txt 2014-10-31 01:23 ComboFix2.txt 2014-10-30 01:36 ComboFix3.txt 2014-10-29 06:11 ComboFix4.txt 2014-10-29 05:34 ComboFix5.txt 2014-10-31 01:13 . Pre-Run: 176,323,551,232 bytes free Post-Run: 176,031,465,472 bytes free . - - End Of File - - C9A07B46E13239F793546FA861C575C3 A36C5E4F47E84449FF07ED3517B43A31 Thank you.
  6. I am away from this machine until this evening, but I will run that fix file and report back. Thank you!
  7. Hello, and Thank you in advance for any assistance you can provide. My name is Barry, but you can feel free to call me Barry, My machine was running high fan quite a bit with nothing running which lead me to discover this charming beast lurking behind. I have run ComboFix (log attached) as well as Farbar Recovery Scan Tool (FRST) Scan (FRST and Addition logs attached) as well as TDSSKiller. Here is how that went: ComboFix finds a temp file and deletes it however this doesn't resolve the issue. I suspect it has to do with other programs loading when the computer reboots, but it could also just be getting replaced as soon as it's removed. Farbar indicates a likely powelik reg key in the logs. I understand that this is not good and immediately changed all my logins (not a snmall task) from a clean PC last night when I discovered the issue. I wish to try and clean this machine so I can take a clean local backup then wipe the machine afterwards. TDSSKiller actually finds absolutely nothing. I would appreciate any assitance in removing this scourge. Thank you. **EDIT* Apparently my post is too long, I'll just attach the logs vs paste ComboFix.txt FRST.txt Addition.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.