Jump to content

Recommended Posts

Hello,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member TerryBogard only. If you are a casual viewer, do NOT try this on your system!

If you are not TerryBogard and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

[br]

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

[br]

Step 2

Show all files:

To show all files:

  • Go to your Desktop
  • Double-Click the Computer icon.
  • From the menu options, Select Tools, then Folder Options.
  • Next click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders and drives.
  • Click Apply > OK.

Step 3

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 4

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

  • A window may open with a warning. Accept the EULA and follow all prompts. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

Reply with a copy of the MBAM log, and the C:\Combofix.txt log

Please have a lot of patience. Your issues will take several rounds of analysis, cleanup, and tools to use.

Keep in mind also, I am a volunteer and am not on these boards all the time.

Link to post
Share on other sites

Hi. I joined this site in the hopes that I can get some help solving a couple problems on my computer. I have Malwarebytes v. 1.60.0.1800 and it's been picking up a lot of infections lately. I'm new to this, so bear with me. First, I do a full scan. Then, I check the result of the scan to see if there are any infected files. If there are any, I go to the quarantine folder and check them out. The two common ones that keep popping up are a PUP.BitMiner and a Trojan of some kind.

My problems:

1) Fake Windows Security. It came out of nowhere and ate some of my files earlier in December. Luckily, I had a recent System Restore point. So, I don't think anything was lost. After that, I downloaded Malwarebytes fast. It's popped up from time to time, but nothing as serious as before.

2) Firefox 8, 9, and IE 9 redirect problem. I'm guessing this is a virus, but it isn't being detected by Malwarebytes even after multiple scans and deleting the threats in the quarantine folder. When I click a link on something like google or a trusted site, something redirects me to a random site.

*Note: I was on Gamespot.com and I was redirected to CBS's Terms of Use webpage. That site is owned by CBS. Maybe there's a connection.

Anyway, it first started on Firefox 8, so I stopped using it until I could find something to take care of it, but then, it started happening on IE9, too, and FF9. So, here I am.

If anyone has dealt with this problem before or has an idea to beat this, I could use some help. I need to take care of this ASAP.

*Note EDIT: I don't understand the connection to other redirects, so I don't remember them all. That one stuck out, but I'm sure more will come, if anyone's interested.

Post Merged

Before I told everyone to leave the infected laptop alone, my sister was able to run ComboFix without it stop running before it could do it's scan. We weren't able to install anything like it requested because we still don't have internet access. But it told us we're infected with that Zero.Access? rootkit.

I made another topic about this earlier, but I didn't bother to read the pinned instructions. Sorry about that. I followed the steps as instructed in thistopic. Here are the files that were made by the DDS program. I uploaded both the DDS and Attach text document. If anyone could lend a hand, I would appreciate it.

DDS.txt:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Jon at 14:16:41 on 2012-01-03

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2173 [GMT -5:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\system32\atiesrxx.exe

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\System32\spoolsv.exe

C:\windows\system32\atieclxx.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe

C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files (x86)\dell datasafe local backup\sftservice.EXE

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\WUDFHost.exe

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Users\Jon\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe

c:\program files (x86)\dell datasafe local backup\TOASTER.EXE

c:\program files (x86)\dell datasafe local backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\windows\system32\conhost.exe

C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\system32\vssvc.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\windows\System32\svchost.exe -k swprv

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\windows\SysWOW64\Macromed\Flash\FlashUtil10x_ActiveX.exe

C:\windows\SysWOW64\ping.exe

C:\windows\system32\conhost.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\System32\svchost.exe -k WerSvcGroup

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://google.com/

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform

\6.0.2282.0\npwinext.dll

TB: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No File

TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll

TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

uRun: [steam] "C:\Program Files (x86)\Steam\steam.exe" -silent

uRun: [sansaDispatch] C:\Users\Jon\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"

mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

mRun: [iolo Startup] "C:\Program Files (x86)\iolo\Common\Lib\ioloLManager.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components

\DSUpdate\DSUpdate.exe"

StartupFolder: C:\Users\Jon\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.4.4

TCP: Interfaces\{80F1A852-B9A4-4061-9EDF-C6172043647B} : DhcpNameServer = 192.168.4.4

TCP: Interfaces\{80F1A852-B9A4-4061-9EDF-C6172043647B}\13 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{80F1A852-B9A4-4061-9EDF-C6172043647B}\E476162716 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{D81857EA-B366-402A-BBA4-54094C7273D4} : DhcpNameServer = 192.168.2.1

Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO-X64: McAfee Phishing Filter - No File

BHO-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll

BHO-X64: Conduit Engine - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO-X64: Search Helper - No File

BHO-X64: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No File

BHO-X64: BitTorrentBar - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live

\WindowsLiveLogin.dll

BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar

\Platform\6.0.2282.0\npwinext.dll

TB-X64: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No File

TB-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll

TB-X64: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2

mRun-x64: [(Default)]

mRun-x64: [RoxWatchTray] "c:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

mRun-x64: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"

mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe

mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

mRun-x64: [iolo Startup] "C:\Program Files (x86)\iolo\Common\Lib\ioloLManager.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components

\DSUpdate\DSUpdate.exe"

Hosts: 69.72.252.254 www.google-analytics.com.

Hosts: 69.72.252.254 ad-emea.doubleclick.net.

Hosts: 69.72.252.254 www.statcounter.com.

Hosts: 184.95.41.155 www.google-analytics.com.

Hosts: 184.95.41.155 ad-emea.doubleclick.net.

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Jon\AppData\Roaming\Mozilla\Firefox\Profiles\yafgtmj2.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll

FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 amd_sata;amd_sata;C:\windows\system32\DRIVERS\amd_sata.sys --> C:\windows\system32\DRIVERS\amd_sata.sys [?]

R0 amd_xata;amd_xata;C:\windows\system32\DRIVERS\amd_xata.sys --> C:\windows\system32\DRIVERS\amd_xata.sys [?]

R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]

R1 ElRawDisk;ElRawDisk;\??\C:\windows\system32\drivers\ElRawDsk.sys --> C:\windows\system32\drivers\ElRawDsk.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-9-5 64952]

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-6-29 98208]

R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]

R2 ioloSystemService;iolo System Service;C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2011-12-24 722616]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-31 652872]

R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]

R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-6-29 1692480]

R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\system32\DRIVERS\CtClsFlt.sys --> C:\windows\system32\DRIVERS\CtClsFlt.sys [?]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys

[?]

R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== File Associations ===============

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2011-12-31 07:40:58 709968 ----a-w- C:\windows\isRS-000.tmp

2011-12-30 06:23:27 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll

2011-12-30 06:23:26 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll

2011-12-30 06:23:26 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll

2011-12-30 06:23:26 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll

2011-12-28 18:10:52 -------- d-----w- C:\Temp

2011-12-25 03:23:48 -------- d-----w- C:\Users\Jon\AppData\Roaming\Trine2

2011-12-24 05:51:13 2141832 ----a-w- C:\windows\System32\Incinerator64.dll

2011-12-24 05:45:01 -------- d-----w- C:\ProgramData\IObit

2011-12-24 05:45:00 -------- d-----w- C:\Program Files (x86)\IObit

2011-12-23 04:40:41 -------- d-----w- C:\Users\Jon\AppData\Roaming\AVG

2011-12-22 23:59:50 -------- d--h--w- C:\$AVG

2011-12-22 23:02:09 -------- d-----w- C:\Users\Jon\AppData\Roaming\AVG2012

2011-12-22 23:01:12 -------- d-----w- C:\ProgramData\AVG Secure Search

2011-12-22 23:01:10 -------- d-----w- C:\Program Files (x86)\Common Files\AVG Secure Search

2011-12-22 23:01:10 -------- d-----w- C:\Program Files (x86)\AVG Secure Search

2011-12-22 21:56:19 -------- d-----w- C:\Program Files (x86)\AVG

2011-12-22 21:52:11 -------- d-----w- C:\windows\SysWow64\drivers\AVG

2011-12-22 21:50:55 -------- d-----w- C:\ProgramData\AVG2012

2011-12-22 19:57:46 -------- d--h--w- C:\ProgramData\Common Files

2011-12-22 19:57:13 -------- d-----w- C:\ProgramData\MFAData

2011-12-22 10:50:43 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EBDDDF3F-4975-4449-9825-20554D089F1A}\mpengine.dll

2011-12-22 10:24:23 -------- d-----we C:\windows\system64

2011-12-15 18:47:19 43520 ----a-w- C:\windows\System32\csrsrv.dll

2011-12-15 18:42:19 3145216 ----a-w- C:\windows\System32\win32k.sys

2011-12-15 18:42:16 723456 ----a-w- C:\windows\System32\EncDec.dll

2011-12-15 18:42:16 534528 ----a-w- C:\windows\SysWow64\EncDec.dll

2011-12-15 18:42:12 2048 ----a-w- C:\windows\SysWow64\tzres.dll

2011-12-15 18:42:12 2048 ----a-w- C:\windows\System32\tzres.dll

.

==================== Find3M ====================

.

2011-12-12 07:35:28 45568 ----a-w- C:\windows\System32\iolobtdfg.exe

2011-12-12 07:35:12 14848 ----a-w- C:\windows\System32\smrgdf.exe

2011-12-12 06:52:12 2083464 ----a-w- C:\windows\SysWow64\Incinerator32.dll

2011-12-10 20:24:08 23152 ----a-w- C:\windows\System32\drivers\mbam.sys

2011-12-04 12:37:35 455304 ----a-w- C:\ProgramData\EkYwsHYNmxy.exe

2011-11-22 00:03:21 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-11-04 01:53:39 2309120 ----a-w- C:\windows\System32\jscript9.dll

2011-11-04 01:44:47 1390080 ----a-w- C:\windows\System32\wininet.dll

2011-11-04 01:44:21 1493504 ----a-w- C:\windows\System32\inetcpl.cpl

2011-11-04 01:34:43 2382848 ----a-w- C:\windows\System32\mshtml.tlb

2011-11-03 22:47:42 1798144 ----a-w- C:\windows\SysWow64\jscript9.dll

2011-11-03 22:40:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl

2011-11-03 22:39:47 1127424 ----a-w- C:\windows\SysWow64\wininet.dll

2011-11-03 22:31:57 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb

.

============= FINISH: 14:17:26.02 ===============

Attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS

LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 8/25/2011 3:04:38 PM

System Uptime: 1/3/2012 1:47:13 PM (1 hours ago)

.

Motherboard: Dell Inc. | | 0C8PJJ

Processor: AMD Athlon II P360 Dual-Core

Processor | CPU 1 | 2300/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 283 GiB total, 164.862 GiB

free.

D: is CDROM ()

E: is CDROM ()

F: is CDROM ()

G: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP78: 12/29/2011 6:09:38 AM - Scheduled Checkpoint

RP79: 1/2/2012 1:44:14 AM - Removed Oblivion

.

==== Hosts File Hijack ======================

.

Hosts: 69.72.252.254 www.google-analytics.com.

Hosts: 69.72.252.254 ad-emea.doubleclick.net.

Hosts: 69.72.252.254 www.statcounter.com.

Hosts: 184.95.41.155 www.google-analytics.com.

Hosts: 184.95.41.155 ad-emea.doubleclick.net.

Hosts: 184.95.41.155 www.statcounter.com.

.

==== Installed Programs ======================

.

Adobe Flash Player 10 ActiveX

Adobe Reader X (10.1.1) MUI

Advanced Audio FX Engine

Aleks 3.15

Atheros Client Installation Program

Bastion - Demo

Bejeweled 2 Deluxe

Bing Bar Platform

Bing Rewards Client Installer

BitTorrent

Blackhawk Striker 2

Bounce Symphony

Build-a-lot 2

Cake Mania

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center Localization All

ccc-core-static

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Chuzzle Deluxe

Conduit Engine

Cozi

D3DX10

DAEMON Tools Lite

Dell DataSafe Local Backup

Dell DataSafe Local Backup - Support Software

Dell DataSafe Online

Dell Getting Started Guide

Dell Home Systems Service Agreement

Dell MusicStage

Dell Perks Webslice IE8

Dell PhotoStage

Dell Product Registration

Dell Stage

Dell VideoStage

Dell Webcam Central

Diner Dash 2 Restaurant Rescue

DirectX 9 Runtime

Dora's World Adventure

Escape Whisper Valley

Fallout2

Farm Frenzy

FATE

Final Drive Fury

Final Drive Nitro

FO2 Restoration Project 2.1.2b

Game Booster 3

GameSpy Arcade

GoToAssist 8.0.0.514

Internet Explorer

iolo technologies' System Mechanic

IrfanView (remove only)

Java Auto Updater

Java 6 Update 22

Java 6 Update 24

Java 6 Update 26

Jewel Quest

Jewel Quest Solitaire 2

Junk Mail filter update

Live! Cam Avatar Creator

Luxor

Malwarebytes Anti-Malware version 1.60.0.1800

Mass Effect 2

Mesh Runtime

Microsoft Default Manager

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable -

KB2467175

Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729

Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable -

10.0.40219

Microsoft XNA Framework Redistributable 3.1

Mozilla Firefox 9.0.1 (x86 en-US)

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

Namco All-Stars PAC-MAN

Norton Security Scan

NVIDIA PhysX

Oblivion

Oblivion mod manager 1.1.12

OpenOffice.org 3.3

Operation Flashpoint: Dragon Rising

Penguins!

PhotoShowExpress

Plants vs. Zombies - Game of the Year

Poker Superstars III

Polar Bowler

Polar Golfer

Portrait Professional 10.4 Trial

Punch! Home and Landscape

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

Roxio Activation Module

Roxio BackOnTrack

Roxio Burn

Roxio Creator Starter

Roxio Express Labeler 3

Samantha Swift

Sansa Updater

Security Update for Microsoft .NET Framework 4

Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4

Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4

Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4

Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4

Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4

Extended (KB2416472)

Security Update for Microsoft .NET Framework 4

Extended (KB2487367)

Skype Toolbars

Skype™ 4.2

Sonic CinePlayer Decoder Pack

Steam

Trine 2 Demo

TrustedID

Unofficial Oblivion Patch v3.2.0

Update for Microsoft .NET Framework 4 Client

Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client

Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client

Profile (KB2533523)

Update for Microsoft .NET Framework 4 Extended

(KB2468871)

Update for Microsoft .NET Framework 4 Extended

(KB2533523)

Update Installer for WildTangent Games App

Virtual Villagers 4 - The Tree of Life

Visual Studio 2008 x64 Redistributables

VLC media player 1.1.7

Wedding Dash - Ready, Aim, Love!

WildTangent Games

WildTangent Games App (Dell Games)

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote

Connections

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Zuma Deluxe

.

==== Event Viewer Messages From Past Week ========

.

12/31/2011 3:41:00 AM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR9.

12/31/2011 2:06:31 AM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR8.

12/31/2011 12:59:46 PM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR11.

12/31/2011 10:26:40 AM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR10.

12/31/2011 1:16:12 AM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR7.

12/30/2011 8:10:45 PM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR6.

12/30/2011 7:03:51 AM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR3.

12/30/2011 2:12:07 PM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR5.

12/30/2011 12:56:24 PM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR4.

12/30/2011 12:31:16 AM, Error: VDS Basic Provider

[1] - Unexpected failure. Error code: 490@01010004

12/28/2011 5:12:27 AM, Error: volsnap [14] - The

shadow copies of volume C: were aborted because of

an IO failure on volume C:.

12/28/2011 3:48:04 AM, Error: Ntfs [55] - The file

system structure on the disk is corrupt and

unusable. Please run the chkdsk utility on the

volume OS.

1/3/2012 12:51:33 AM, Error: Disk [11] - The

driver detected a controller error on \Device

\Harddisk1\DR2.

1/3/2012 1:48:36 PM, Error: Service Control Manager

[7011] - A timeout (30000 milliseconds) was

reached while waiting for a transaction response

from the SftService service.

1/3/2012 1:47:40 PM, Error: Service Control Manager

[7023] - The Computer Browser service terminated

with the following error: The specified service

does not exist as an installed service.

1/3/2012 1:47:40 PM, Error: Service Control Manager

[7003] - The IPsec Policy Agent service depends

the following service: BFE. This service might not

be installed.

1/3/2012 1:47:40 PM, Error: Service Control Manager

[7003] - The Internet Connection Sharing (ICS)

service depends the following service: BFE. This

service might not be installed.

1/3/2012 1:47:40 PM, Error: Service Control Manager

[7003] - The IKE and AuthIP IPsec Keying Modules

service depends the following service: BFE. This

service might not be installed.

1/2/2012 5:43:15 AM, Error: Disk [11] - The driver

detected a controller error on \Device

\Harddisk1\DR1.

1/2/2012 4:04:08 AM, Error: Service Control Manager

[7024] - The HomeGroup Listener service terminated

with service-specific error %%-2147023143.

1/1/2012 8:08:43 AM, Error: Disk [11] - The driver

detected a controller error on \Device

\Harddisk1\DR13.

1/1/2012 7:14:24 PM, Error: Disk [11] - The driver

detected a controller error on \Device

\Harddisk1\DR15.

1/1/2012 4:01:55 PM, Error: Service Control Manager

[7011] - A timeout (30000 milliseconds) was

reached while waiting for a transaction response

from the upnphost service.

1/1/2012 4:01:25 PM, Error: Service Control Manager

[7011] - A timeout (30000 milliseconds) was

reached while waiting for a transaction response

from the SSDPSRV service.

1/1/2012 4:00:55 PM, Error: Service Control Manager

[7011] - A timeout (30000 milliseconds) was

reached while waiting for a transaction response

from the FontCache service.

1/1/2012 4:00:25 PM, Error: Service Control Manager

[7011] - A timeout (30000 milliseconds) was

reached while waiting for a transaction response

from the FDResPub service.

1/1/2012 2:18:34 AM, Error: Disk [11] - The driver

detected a controller error on \Device

\Harddisk1\DR12.

.

==== End Of File ===========================

Link to post
Share on other sites

Moderator note: This Topic belongs to TerryBogard. Apologies that the sequence below is out of order. We were in the process of merging your 2 topics into one single one. Terrybogard, please make all your replies into this topic.

Hello Terrybogard,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member TerryBogard only. If you are a casual viewer, do NOT try this on your system!

If you are not TerryBogard and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

[br]

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

[br]

Step 2

Show all files:

To show all files:

  • Go to your Desktop
  • Double-Click the Computer icon.
  • From the menu options, Select Tools, then Folder Options.
  • Next click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders and drives.
  • Click Apply > OK.

Step 3

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 4

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

  • A window may open with a warning. Accept the EULA and follow all prompts. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.

Note:

Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

Reply with a copy of the MBAM log, and the C:\Combofix.txt log

Please have a lot of patience. Your issues will take several rounds of analysis, cleanup, and tools to use.

Keep in mind also, I am a volunteer and am not on these boards all the time.

Link to post
Share on other sites

Thanks for the replies. I forgot to mention that I'm currently running Windows 7-64 bit. I downloaded both ERUNT and ComboFix and installed ERUNT. Since it only mentions Windows 2000, XP, and NT, I don't know if that would work correctly on my system. What should I do?

Also, I just ran a Malwarebytes full scan and one infected object was detected. It was the PUP. Bitminer again.

Link to post
Share on other sites

Go ahead and do all the steps, except you can skip over the MBAM for now. But I will want a copy of the last MBAM log too.

On most all tools, you will have to do RIGHT-Click and then choose Run as Administrator.

Yes, proceed and do the ERUNT and Combofix

Both will run on Win7 even if you have 64-bit Windows

Link to post
Share on other sites

Okay, just did ran both ERUNT and Combofix as instructed. For a second there, I thought a lot of my programs' registry keys had been deleted, both internet browsers and games alike. They work when I run as administrator. However, for things like txt docs, I have to first run Notepad. Just keeping a progress report.

Here's the most recent MBAM log and the combofix one.

MBAM protection-log-2012-01-03.txt:

2012/01/03 13:49:48 -0500 ALPHA Jon MESSAGE Starting protection

2012/01/03 14:19:26 -0500 ALPHA Jon ERROR Integrity verification failed failed with error code 2

2012/01/03 14:19:26 -0500 ALPHA Jon MESSAGE Protection stopped

2012/01/03 14:51:39 -0500 ALPHA Jon MESSAGE Starting protection

2012/01/03 14:51:41 -0500 ALPHA Jon ERROR Integrity verification failed failed with error code 2

2012/01/03 14:51:41 -0500 ALPHA Jon MESSAGE Protection stopped

Combofix 12-01-03.txt:

ComboFix 12-01-03.07 - Jon 01/03/2012 17:21:51.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2580 [GMT -5:00]

Running from: c:\users\Jon\Downloads\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\EkYwsHYNmxy.exe

c:\windows\assembly\temp\@

c:\windows\assembly\temp\bckfg.tmp

c:\windows\assembly\temp\cfg.ini

c:\windows\assembly\temp\keywords

c:\windows\isRS-000.tmp

c:\windows\system32\consrv.dll

c:\windows\system32\drivers\etc\hosts.ics

c:\windows\system32\java.exe

c:\windows\System64

.

.

((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))

.

.

2012-01-03 22:27 . 2012-01-03 22:27 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-03 21:01 . 2012-01-03 21:01 -------- d-----w- c:\program files (x86)\ERUNT

2011-12-30 06:23 . 2011-12-21 04:30 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll

2011-12-30 06:23 . 2011-12-21 07:24 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll

2011-12-30 06:23 . 2011-12-21 04:30 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll

2011-12-30 06:23 . 2011-12-21 04:30 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll

2011-12-28 18:10 . 2011-12-30 06:42 -------- d-----w- C:\Temp

2011-12-25 03:23 . 2011-12-25 03:23 -------- d-----w- c:\users\Jon\AppData\Roaming\Trine2

2011-12-24 05:51 . 2011-12-12 06:52 2141832 ----a-w- c:\windows\system32\Incinerator64.dll

2011-12-24 05:45 . 2011-12-24 05:45 -------- d-----w- c:\programdata\IObit

2011-12-24 05:45 . 2011-12-24 05:45 -------- d-----w- c:\program files (x86)\IObit

2011-12-23 04:40 . 2011-12-23 04:46 -------- d-----w- c:\users\Jon\AppData\Roaming\AVG

2011-12-22 23:59 . 2011-12-22 23:59 -------- d-----w- C:\$AVG

2011-12-22 23:01 . 2011-12-22 23:01 -------- d-----w- c:\programdata\AVG Secure Search

2011-12-22 23:01 . 2011-12-23 05:23 -------- d-----w- c:\program files (x86)\AVG Secure Search

2011-12-22 23:01 . 2011-12-23 05:23 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search

2011-12-22 21:56 . 2011-12-23 05:19 -------- d-----w- c:\program files (x86)\AVG

2011-12-22 21:52 . 2011-12-23 05:22 -------- d-----w- c:\windows\SysWow64\drivers\AVG

2011-12-22 21:50 . 2011-12-23 05:23 -------- d-----w- c:\programdata\AVG2012

2011-12-22 19:57 . 2011-12-22 19:57 -------- d--h--w- c:\programdata\Common Files

2011-12-22 19:57 . 2011-12-23 05:20 -------- d-----w- c:\programdata\MFAData

2011-12-22 10:50 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EBDDDF3F-4975-4449-9825-20554D089F1A}\mpengine.dll

2011-12-15 18:47 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll

2011-12-15 18:42 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys

2011-12-15 18:42 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll

2011-12-15 18:42 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll

2011-12-15 18:42 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll

2011-12-15 18:42 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-12 07:35 . 2011-08-26 04:20 45568 ----a-w- c:\windows\system32\iolobtdfg.exe

2011-12-12 07:35 . 2011-08-26 04:20 14848 ----a-w- c:\windows\system32\smrgdf.exe

2011-12-12 06:52 . 2011-08-26 04:20 2083464 ----a-w- c:\windows\SysWow64\Incinerator32.dll

2011-12-10 20:24 . 2011-09-28 01:00 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-26 01:10 . 2011-11-26 01:10 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin

2011-11-22 00:03 . 2011-09-02 01:03 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\ConduitEngine\prxConduitEngin.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\prxConduitEngin.dll" [2011-03-28 176936]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-04 559616]

.

c:\users\Jon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-09-05 64952]

R4 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2010-05-21 98208]

R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

R4 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R4 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2011-12-12 722616]

R4 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]

R4 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]

R4 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]

R4 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]

R4 SftService;SoftThinks Agent Service;c:\program files (x86)\dell datasafe local backup\sftservice.EXE [2011-08-18 1692480]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]

S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]

S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-26 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]

.

2012-01-03 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\uaclauncher.exe [2011-10-06 20:32]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"combofix"="c:\combofix\CF32278.3XE" [2010-11-21 345088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uLocal Page = c:\windows\system32\blank.htm

TCP: DhcpNameServer = 192.168.4.4

TCP: Interfaces\{D81857EA-B366-402A-BBA4-54094C7273D4}: DhcpNameServer = 205.152.111.23 205.152.144.23

FF - ProfilePath - c:\users\Jon\AppData\Roaming\Mozilla\Firefox\Profiles\yafgtmj2.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: network.proxy.type - 0

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)

BHO-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)

Toolbar-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)

AddRemove-NSS - c:\program files (x86)\Norton Security Scan\Engine\3.5.1.6\InstWrap.exe

AddRemove-Oblivion mod manager_is1 - c:\program files\Bethesda Softworks\Oblivion\obmm\uninstall\unins000.exe

AddRemove-Unofficial Oblivion Patch_is1 - c:\program files\Bethesda Softworks\Oblivion\Unofficial Oblivion Patch\unins000.exe

AddRemove-WT089446 - c:\program files (x86)\WildTangent\Dell Games\Wedding Dash - Ready

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\BFE]

"ImagePath"="NADA"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

.

**************************************************************************

.

Completion time: 2012-01-03 17:36:28 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-03 22:36

.

Pre-Run: 176,935,612,416 bytes free

Post-Run: 176,782,589,952 bytes free

.

- - End Of File - - F995D0405409BADCE84E20FFB3744AB4

Link to post
Share on other sites

Another progress report: Besides opening folders, I apparently cannot run any new processes unless there is a "run as administrator" option. Is this permanent?

Also, please excuse my grammar. I would like to deal with this ASAP, so I'm a little flustered. I don't mean to rush help or anything by saying that. I appreciate it and can wait as long as I have to.

Link to post
Share on other sites

I'd suggest you first have a lot of patience. It may well take several more tools to remove the infections here.

Does this system have an anti-virus program installed?

You posted the MBAM "protection log". I need the last "scan" log.

Start MBAM and Click on the LOGS tab.

Your scan logs would be something like this in the list

C:\Users\Jon\Appdata\roaming\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-01-03.......txt

Highlight the latest one and then click on Open. Then copy the contents and paste here in a reply.

and do NOT use the SPOILER that you've been using.

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Re-enable your antivirus program.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

Reply with copy of the Eset scan log AND the MBAM Scan log AND Checkup.txt

Link to post
Share on other sites

I took the liberty of doing another full scan with MBAM since the last one seemed a bit short on information. It could be the wrong file, but I'm almost positive I uploaded the correct file, earlier. Since it looks much different, I decided to post a new one. The most recent log (the one that pops up immediately after a full scan is completed) is in the spoiler.

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.03.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Jon :: ALPHA [administrator]

Protection: Disabled

1/3/2012 7:18:27 PM

mbam-log-2012-01-03 (19-18-27).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 388859

Time elapsed: 1 hour(s), 54 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

I'll do whatever it takes to fix this system. I realize making it harder for the people helping probably isn't a good idea. I trust you.

Sorry about that, Maurice Nagger. I posted that last message before your last one showed. I did what you said and got the same MBAM log as the one posted in the spoiler of my previous message.

I was putting the docs in a spoiler because I thought it would be easier to differentiate one from another that way. If you would prefer I don't, sure. It's your call. Just so we're on the same page, I'm posting the results of the scans in the order specified.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=7e89262cf42f314eb47a0f42e042afcd

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-01-04 02:30:11

# local_time=2012-01-03 09:30:11 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776574 66 94 105109 77184163 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=249857

# found=5

# cleaned=5

# scan_time=3510

C:\Qoobox\Quarantine\C\ProgramData\EkYwsHYNmxy.exe.vir a variant of Win32/Kryptik.WQS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Jon\Downloads\gb3-setup.exe a variant of Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\Jon\Downloads\openofficewriter-setup.exe Win32/DownloadAdmin.A.Gen application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Windows\assembly\temp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.03.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Jon :: ALPHA [administrator]

Protection: Disabled

1/3/2012 7:18:27 PM

mbam-log-2012-01-03 (19-18-27).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 388859

Time elapsed: 1 hour(s), 54 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Results of screen317's Security Check version 0.99.30

Windows 7 x64 (UAC is enabled)

Internet Explorer 9

``````````````````````````````

Antivirus/Firewall Check:

ESET Online Scanner v3

iolo technologies' System Mechanic

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 22

Java 6 Update 24

Java 6 Update 26

Java version out of date!

Adobe Reader X (10.1.1)

Mozilla Firefox (9.0.1)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbam.exe

ESET ESET Online Scanner OnlineCmdLineScanner.exe

``````````End of Log````````````

Link to post
Share on other sites

Terry,

Just so you are very aware. All pc's have to have antivirus program for protection. MBAM (an outstanding app) does not have an anti-virus component.

Without an anti-virus, your system is a sitting duck for more infections.

"After" you finish this next step, install your Trend Micro Titanium, do an Update function run to get the most current definition database.

Download aswMBR.exe ( 511KB ) to your desktop.

RIGHT click the aswMBR.exe and select Run As Administrator to start it.

change the a-v scan to None.

uncheck trace disk IO calls

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply. Exit aswMBR.

Your system has a very serious malware infection. There will be much more to do.

Do not do any websurfing, or any online games, or any multi-media searches/downloads.

Link to post
Share on other sites

Maurice,

Thanks for the help, but I ran into another problem and it's my fault. I wanted to see if I could restore the disabled functions on my computer due to ERUNT, but when I did, it completely recked my system. Completely unexpected. Long story short, I had to do a factory reset. The worst part of it is that even after all that, something appears to still be uploading from my computer. I know someone nearby who is helping me with it, so we'll see what we can do from here.

I don't think it was your fault at all. I screwed up by fooling around. Have a nice day.

Link to post
Share on other sites

The system had a serious backdoor trojan. Ref this entry from one of the logs "Win32/Olmarik.AVQ trojan "

See http://www.eset.eu/encyclopaedia/win32-olmarik-rn-trojan-downloader-agent-dmes-backdoor-tidserv-k-alureon-ct?lng=en

You need to do a complete wipe (reformat) of the HDD and a clean NEW install of the system.

Backdoor trojans allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

The best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

First order of business after rebuilding the new Windows setup, is to put on a fresh install of an anti-virus program.

If this is an OEM system, and you do a System Recovery install, de-install (remove) any antivirus app that came with it. They will be obsolete and out of date (unless your new purchase was within the past one year).

I'd also highly encourage you to install MBAM Pro, for real-time online protection.

Always do your best to stay SAFE.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.