Caledrith Posted December 24, 2011 ID:508785 Share Posted December 24, 2011 So ping.exe is taking all of the cpu. I end it and it comes back after 5 minutes. Here are the logs.attach.txtdds.txt Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted December 25, 2011 ID:509295 Share Posted December 25, 2011 Hello Caledrith and welcome to Malwarebytes! I apologize for the delay.I am D-FRED-BROWN and I will be helping you. Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps. -------------Please download Farbar Service Scanner and run it on the computer with the issue.Make sure the following options are checked:Internet ServicesWindows FirewallSystem Restore[*]Press "Scan".[*]It will create a log (FSS.txt) in the same directory the tool is run.[*]Please copy and paste the log to your reply.-------------Please download to your Desktop:TDSSKiller.zip from here and extract it (right click on it => "Extract here").>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.Click on the Start Scan button and wait for the scan and disinfection process to be over.If an infected file is detected, the default action will be Cure, click on Continue If a suspicious file is detected, the default action will be Skip, click on Continue If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.In your next reply, please include the following (you may need to use two posts to get it all in):TDSSKiller_log.txthow the PC is running now?-------------Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix***IMPORTANT: save ComboFix to your Desktop**** Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please go here to see a list of programs that should be disabled.**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall** Please include the C:\ComboFix.txt in your next reply for further review.Also, please let me know if any problems still remain.-------------Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:http://ad13.geekstogo.com/MBRCheck.exehttp://download.bleepingcomputer.com/rootrepeal/MBRCheck.exehttp://www.kernelmode.info/MBRCheck.exeClose all opened programs/ windows and double-click on MBRCheck.exe.It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".Press the "Enter" key to close the MBRCheck window and post the contents of the log file.-------------In your next reply, please include:FSS.txtTDSSKiller reportC:\ComboFix.txtMBRCheck reportHow is your computer running now? Link to post Share on other sites More sharing options...
Caledrith Posted December 27, 2011 Author ID:509846 Share Posted December 27, 2011 I have not seen too much crap since the repairs. I can still access the internet which is good Ping.exe has not popped up at all. It did find a zeroaccess rootkit on tcp/IP stack.Let me know if there is anything else needing attention.Thanks!FSS.txtTDSSKiller.2.6.22.0_23.12.2011_19.34.54_log.txtMBRCheck_12.27.11_12.06.18.txtComboFix.txt Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted December 27, 2011 ID:509881 Share Posted December 27, 2011 Looking good! ComboFix & TDSSKiller cleared up the main infection. Let's run an ESET Online Scan to make sure there are no remnants they may have missed:Please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checkedClick ScanWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topic----------Next, let's see what programs of yours need updating; out-of-date applications leave you extremely vulnerable to getting infected again:Please download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.----------Please include both the ESET report & the checkup.txt contents in your next reply. Link to post Share on other sites More sharing options...
Caledrith Posted December 28, 2011 Author ID:510448 Share Posted December 28, 2011 My computer has been slower recently.checkup.txtlog.txt Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted December 28, 2011 ID:510503 Share Posted December 28, 2011 Let's try the following:Download the latest version of Kaspersky Virus Removal ToolClose all other applications and double-click and run the installer.When the Kaspersky Virus Removal Tool starts, to the right of Security Level click Recommended, and select Settings.In the window that opens (Autoscan), in the Scope tab place a checkmark to the left of Parse email formats. Click the Additional tab and click to place a checkmark to the left of Deep scan, and click OK. Select all the scanable items except for CD-ROM drives and click the Start scan button.If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all buttonIn the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.In the Scan window click the Reports button and select Save to file.Name the report AVPT.txt, and save it to the Desktop.Close AVPTool.You will be prompted if you want to uninstall the program; click Yes.You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.Copy and paste the first part of the report (Detected) that you saved in your next reply. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 1, 2012 ID:512193 Share Posted January 1, 2012 (bump)Are you still with me? If your problems still persist, let me know and we'll go about fixing them. If not, please let me know so I can close this topic.-DFB Link to post Share on other sites More sharing options...
Caledrith Posted January 9, 2012 Author ID:515444 Share Posted January 9, 2012 Yes, I am, I was just busy with the holidays, sorry.Partially because I knew the scan would take a while and I needed my computer Starting the scan now(just didnt want the topic closed) Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 10, 2012 ID:515546 Share Posted January 10, 2012 No worries, I understand. Take all the time you need . Link to post Share on other sites More sharing options...
Caledrith Posted January 10, 2012 Author ID:515566 Share Posted January 10, 2012 Alrighty, after 4 0.o hours, it is done.Also, the tool has been updated, and your instructions were hard to follow because of it, but I did it.I think this is what you wanted.1/9/2012 3:40:40 PM OK \Device\HarddiskVolume2 1/9/2012 3:40:31 PM OK C 1/9/2012 6:21:38 PM Not processed c:\pagefile.sys Object is locked 1/9/2012 3:40:57 PM Not processed C:\pagefile.sys Object is locked 1/9/2012 4:42:18 PM Detected: http://www.securelist.com/en/advisories/46512 C:\Program Files\Java\jre6\bin\java.exe 1/9/2012 4:42:00 PM Detected: http://www.securelist.com/en/advisories/46512 C:\Program Files\Java\jre1.6.0_03\bin\java.exe 1/9/2012 4:41:41 PM Detected: http://www.securelist.com/en/advisories/46512 C:\Program Files\Java\jre1.6.0_02\bin\java.exe 1/9/2012 5:40:59 PM Detected: Trojan-Spy.Win32.Zbot.ctrj C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0002087.exe 1/9/2012 5:42:13 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0004147.sys 1/9/2012 5:42:12 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0003147.sys 1/9/2012 5:41:54 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0002147.sys 1/9/2012 5:41:25 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0002100.sys 1/9/2012 5:41:25 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0002092.sys 1/9/2012 5:40:57 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0002054.sys 1/9/2012 5:40:56 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0001056.sys 1/9/2012 5:42:30 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0007189.sys 1/9/2012 5:42:27 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0006189.sys 1/9/2012 5:42:25 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0005189.sys 1/9/2012 5:42:23 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0004189.sys 1/9/2012 5:42:21 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0004160.sys 1/9/2012 5:26:36 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001034.sys 1/9/2012 5:26:32 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001002.sys 1/9/2012 5:26:30 PM Detected: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000002.sys 1/9/2012 5:41:11 PM Deleted: Trojan-Spy.Win32.Zbot.ctrj C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0002087.exe 1/9/2012 5:40:23 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001034.sys 1/9/2012 5:42:20 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0004147.sys 1/9/2012 5:42:19 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0003147.sys 1/9/2012 5:42:13 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0002147.sys 1/9/2012 5:42:12 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0002100.sys 1/9/2012 5:42:37 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0007189.sys 1/9/2012 5:42:36 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0006189.sys 1/9/2012 5:42:32 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0005189.sys 1/9/2012 5:42:29 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0004189.sys 1/9/2012 5:42:26 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0004160.sys 1/9/2012 5:42:12 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0002092.sys 1/9/2012 5:41:12 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0002054.sys 1/9/2012 5:41:11 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0001056.sys 1/9/2012 5:40:23 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001002.sys 1/9/2012 5:40:23 PM Deleted: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000002.sys 1/9/2012 4:23:30 PM Corrupted C:\Documents and Settings\Nightwatch Capital\My Documents\Downloads\HoNClient-2.0.29.exe/data0234/00000000/ui/images/logo.dds 1/9/2012 5:40:23 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001034.sys 1/9/2012 5:40:23 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0001002.sys 1/9/2012 5:42:20 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0004147.sys 1/9/2012 5:42:37 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0007189.sys 1/9/2012 5:42:36 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0006189.sys 1/9/2012 5:42:32 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0005189.sys 1/9/2012 5:42:29 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0004189.sys 1/9/2012 5:42:26 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0004160.sys 1/9/2012 5:42:19 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0003147.sys 1/9/2012 5:42:13 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0002147.sys 1/9/2012 5:42:12 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0002100.sys 1/9/2012 5:42:12 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0002092.sys 1/9/2012 5:41:12 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0002054.sys 1/9/2012 5:41:11 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0001056.sys 1/9/2012 5:41:11 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0002087.exe 1/9/2012 5:40:23 PM Backed up C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000002.sys It was out of order, soooooooo Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 11, 2012 ID:515936 Share Posted January 11, 2012 Looking much better .Before we move on, is your computer still running slower than usual, as you indicated before? Link to post Share on other sites More sharing options...
Caledrith Posted January 13, 2012 Author ID:516533 Share Posted January 13, 2012 It is running much better thank you. I really appreciate all you have done. Is there any other precautions I have to make, and how do I fix the Java insecurities? Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 13, 2012 ID:516582 Share Posted January 13, 2012 Let's run another ESET scan to verify there's nothing there that we may have missed:Please see this previous post for the instructions: http://forums.malwarebytes.org/index.php?showtopic=102880&view=findpost&p=509881 Link to post Share on other sites More sharing options...
Caledrith Posted January 22, 2012 Author ID:519235 Share Posted January 22, 2012 8 toolbar.zugo again. + solimbalog.txt Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 23, 2012 ID:519509 Share Posted January 23, 2012 Things are looking good .Before we move on to the next step, please update the following programs. (Using outdated applications leaves you extremely vulnerable to getting infected again.)----------Java is out of date and older versions contain vulnerabilities. Please update to the newest version.Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.Go to Start > Control Panel and open Add or Remove Programs.Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). They will have this icon next to them: Select each in turn and click Remove.Once old versions are gone, please install the newest version.----------You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 7.0 first):Adobe Reader XNote: I suggest you uncheck an optional, third-party download (eg. McAfee Security Scan Plus).After successfully installing Adobe Reader X, see this article on how to make this program more secure: Adobe Reader X secures itself by playing in the sandbox.----------Firefox is out of date. Using an outdated version of a web browser leaves you vulnerable to malware! Please visit Mozilla site and update it to the latest version. ----------Please let me know how the updates went, as failed updates may indicate additional malware . Link to post Share on other sites More sharing options...
Recommended Posts