warriorofdarkness Posted August 23, 2012 ID:589228 Share Posted August 23, 2012 I have a fun bunch here. the malware prevents me from using google search, creates pop up windows, redirects web pages and occasionally crashes the computer. I have tried malware bytes but the malware either doesn't get caught or reinstalls. I've included the most recent malware bytes log and a hijack this logMalware bytes run from safe mode:Malwarebytes Anti-Malware 1.62.0.1300www.malwarebytes.orgDatabase version: v2012.08.15.07Windows Vista Service Pack 2 x86 NTFS (Safe Mode)Internet Explorer 9.0.8112.16421user :: USER-PC [administrator]8/22/2012 11:06:57 AMmbam-log-2012-08-22 (11-06-57).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 309871Time elapsed: 12 minute(s), 59 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)Hijack This log:Logfile of Trend Micro HijackThis v2.0.4Scan saved at 11:46:43 AM, on 8/22/2012Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v9.00 (9.00.8112.16447)Boot mode: Safe modeRunning processes:C:\Windows\Explorer.EXEC:\Windows\helppane.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\user\Downloads\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnu.com/406R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...ys=DTP&M=GT5674R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dllR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1504\6.6.1088\TmIEPlg.dllO2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dllO2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dllO2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dllO2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dllO3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dllO4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [buttonMonitor] "C:\Program Files\IOI\ButtonMonitor.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" /logonO4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logonO4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe"O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL ""O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exeO4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [skytel] Skytel.exeO4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "F:\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "F:\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimizedO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-startO4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{867286F8-BEDF-4276-B8D0-ABDD8C71BBF1}O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silentO4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\Download Manager\DLM.exe" /windowsstart /startifworkO4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silentO4 - HKCU\..\Run: [Google Update] "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\user\AppData\Local\Akamai\netsession_win.exe"O4 - HKCU\..\Run: [daddeabdfdct] "C:\ProgramData\daddeabdfdct.exe"O4 - Startup: Dropbox.lnk = C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exeO4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEO4 - Startup: RCA Detective.lnk = C:\Users\user\Documents\RCA Detective\RCADetective.exeO4 - Global Startup: AFS Credentials.lnk = C:\Program Files\OpenAFS\Client\Program\afscreds.exeO4 - Global Startup: McAfee Security Scan Plus.lnk = ?O4 - Global Startup: VPN Client.lnk = ?O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exeO8 - Extra context menu item: &AIM Toolbar Search - C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.htmlO8 - Extra context menu item: Open with &ZipScan - C:\PROGRA~1\ZIPSCA~1\zs_ie.htmO9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphicsO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cabO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cabO16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.co...sreqlab_nvd.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane..._2.3.10.115.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cabO16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cabO18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dllO18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1504\6.6.1088\TmIEPlg.dllO20 - Winlogon Notify: AfsLogon - C:\Program Files\OpenAFS\Client\Program\afslogon.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dllO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exeO23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exeO23 - Service: Google Update Service (gupdate1c9e085999c3c3f) (gupdate1c9e085999c3c3f) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXEO23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exeO23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exeO23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exeO23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exeO23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exeO23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exeO23 - Service: Cisco AnyConnect Secure Mobility Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exeO23 - Service: WDDMService - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exeO23 - Service: WD File Management Engine (WDFME) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exeO23 - Service: WD File Management Shadow Engine (WDSC) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe--End of file - 14475 bytes Link to post Share on other sites More sharing options...
MrCharlie Posted August 23, 2012 ID:589235 Share Posted August 23, 2012 Welcome to the forum, please start at the link below:http://forums.malwar...?showtopic=9573Post back the 2 logs here.....DDS.txt and Attach.txt<====><====><====><====><====><====><====><====>Next.......Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller to your desktop.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system.When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 23, 2012 Author ID:589258 Share Posted August 23, 2012 Neither of the DDS files runs properly the .scr just opens in notepad and.com throws up an error that says a device on this system is not functioning Link to post Share on other sites More sharing options...
MrCharlie Posted August 23, 2012 ID:589260 Share Posted August 23, 2012 Can you run RogueKiller?? MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 23, 2012 Author ID:589262 Share Posted August 23, 2012 Nope same error as DDC.com Link to post Share on other sites More sharing options...
MrCharlie Posted August 23, 2012 ID:589266 Share Posted August 23, 2012 See if you can run this scan.............For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.How to tell > 32 or 64 bitPlug the flashdrive into the infected PC.Enter System Recovery Options.To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press EnterNote: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:services.exe[*]Now press the Search button[*]When the search is complete, search.txt will also be written to your USB[*]Type exit and reboot the computer normally[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 23, 2012 Author ID:589285 Share Posted August 23, 2012 problem when I click repair your computer rather then asking for language or os settings it takes me to a vista log in screen with the only option being other user. when i click other user it asks for a username and password but when I enter the admin username and password an error comes up saying it does not recognize the domain. Link to post Share on other sites More sharing options...
MrCharlie Posted August 23, 2012 ID:589299 Share Posted August 23, 2012 This scan can be run in safe mode if needed.Please read the directions carefully so you don't end up deleting something that is good!!Please download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.Put a checkmark beside loaded modules.A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK.Click the Start Scan button.The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out:If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueIf malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 24, 2012 Author ID:589590 Share Posted August 24, 2012 here are the logs. the first time I ran the scan the computer crashed before I could finish so I ran it again I'm including everything I have.TDSSKiller.2.8.7.0_23.08.2012_18.58.27_log.txtTDSSKiller.2.8.7.0_23.08.2012_19.17.50_log.txtTDSSKiller.2.8.7.0_23.08.2012_19.22.16_log.txtTDSSKiller.2.8.7.0_23.08.2012_19.46.22_log.txtTDSSKiller.2.8.7.0_23.08.2012_19.51.15_log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted August 24, 2012 ID:589592 Share Posted August 24, 2012 Run TDSSKiller again and choose Delete for this one only: (no need to post the log)19:29:43.0554 0352 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user19:29:43.0554 0352 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip~~~~~~~~~~~~~~~~~~~~~~~Then..........Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingc...to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed.Please include the C:\ComboFix.txt in your next reply for further review.---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 25, 2012 Author ID:589916 Share Posted August 25, 2012 After installing and running combofix the program has stalled while trying to create a system restore point. The step says it should take 10 minutes and has been running since last night. Link to post Share on other sites More sharing options...
MrCharlie Posted August 25, 2012 ID:589923 Share Posted August 25, 2012 Try it like this......Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet.Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).Click Start --> Run, and enter this command exactly as shown: (copy and paste)"%userprofile%\desktop\combofix.exe" /nombrSee if it will run successfully now. MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 25, 2012 Author ID:589949 Share Posted August 25, 2012 When it runs in safe mode the following error comes up.Error saving fileC:\Windows\erdnt\Hiv-backup\security!Continue with next file?[RegCreateKeyEx: 5- Access is denied] Link to post Share on other sites More sharing options...
MrCharlie Posted August 25, 2012 ID:589954 Share Posted August 25, 2012 Try it again and just continue , MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 26, 2012 Author ID:590164 Share Posted August 26, 2012 Several more of the above error pop up and after continuing through them the program stops running and no blue window appears. Link to post Share on other sites More sharing options...
MrCharlie Posted August 26, 2012 ID:590172 Share Posted August 26, 2012 Please Update and run a Full Scan with MBAM, post the report.Make sure that everything is checked, and click Remove Selected.MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 27, 2012 Author ID:590509 Share Posted August 27, 2012 Here are the results of the logMalwarebytes Anti-Malware 1.62.0.1300www.malwarebytes.orgDatabase version: v2012.08.23.07Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421user :: USER-PC [administrator]8/26/2012 2:04:07 PMmbam-log-2012-08-27 (01-11-34).txtScan type: Full scan (C:\|D:\|E:\|H:\|I:\|J:\|K:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 931826Time elapsed: 6 hour(s), 34 minute(s),Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 10C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0000.dta (Trojan.0access) -> No action taken.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0004.dta (Rootkit.Zaccess) -> No action taken.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0005.dta (Trojan.Dropper.BCMiner) -> No action taken.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0006.dta (Rootkit.0Access) -> No action taken.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0007.dta (Rootkit.0Access) -> No action taken.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0008.dta (Rootkit.0Access) -> No action taken.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0012.dta (Trojan.Zaccess) -> No action taken.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0013.dta (Rootkit.0Access) -> No action taken.C:\Windows\System32\config\systemprofile\AppData\Local\{a2eb9bd1-6120-3c93-b9a9-a9185419fa36}\n (Trojan.Zaccess) -> No action taken.C:\ProgramData\Microsoft\Windows\DRM\42D6.tmp (Trojan.Agent.BRVGen) -> No action taken.(end) Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 27, 2012 Author ID:590511 Share Posted August 27, 2012 Whoops wrong logScan type: Full scan (C:\|D:\|E:\|H:\|I:\|J:\|K:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 931826Time elapsed: 6 hour(s), 34 minute(s),Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 10C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0000.dta (Trojan.0access) -> Quarantined and deleted successfully.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0004.dta (Rootkit.Zaccess) -> Quarantined and deleted successfully.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0005.dta (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0006.dta (Rootkit.0Access) -> Quarantined and deleted successfully.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0007.dta (Rootkit.0Access) -> Quarantined and deleted successfully.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0008.dta (Rootkit.0Access) -> Quarantined and deleted successfully.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0012.dta (Trojan.Zaccess) -> Quarantined and deleted successfully.C:\TDSSKiller_Quarantine\23.08.2012_19.22.16\zasubsys0000\zafs0000\tsk0013.dta (Rootkit.0Access) -> Quarantined and deleted successfully.C:\Windows\System32\config\systemprofile\AppData\Local\{a2eb9bd1-6120-3c93-b9a9-a9185419fa36}\n (Trojan.Zaccess) -> Quarantined and deleted successfully.C:\ProgramData\Microsoft\Windows\DRM\42D6.tmp (Trojan.Agent.BRVGen) -> Quarantined and deleted successfully.(end) Link to post Share on other sites More sharing options...
MrCharlie Posted August 27, 2012 ID:590516 Share Posted August 27, 2012 How is it?? MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 27, 2012 Author ID:590525 Share Posted August 27, 2012 everthing seems to be running fine. Link to post Share on other sites More sharing options...
MrCharlie Posted August 27, 2012 ID:590532 Share Posted August 27, 2012 Good......Please do this:Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.MrC Link to post Share on other sites More sharing options...
warriorofdarkness Posted August 28, 2012 Author ID:590889 Share Posted August 28, 2012 Here's the results Results of screen317's Security Check version 0.99.48 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:``````````````Titanium Internet Security Antivirus out of date! (On Access scanning disabled!)`````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.62.0.1300 JavaFX 2.0.2 JavaFX 2.0.2 SDK Java 6 Update 25 Java 7 Update 2 Java 6 Update 4 Java SE Development Kit 7 Java SE Development Kit 7 Update 2 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Flash Player 11.3.300.270 Adobe Reader 8 Adobe Reader out of Date! Mozilla Firefox (14.0.1) Google Chrome 21.0.1180.79 Google Chrome 21.0.1180.83 ````````Process Check: objlist.exe by Laurent```````` Trend Micro AMSP coreServiceShell.exe Trend Micro UniClient UiFrmWrk uiWatchDog.exe Trend Micro AMSP coreFrameworkHost.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 24 % Defragment your hard drive soon! (Do NOT defrag if SSD!)````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
MrCharlie Posted August 28, 2012 ID:590892 Share Posted August 28, 2012 Titanium Internet SecurityAntivirus out of date! (On Access scanning disabled!) <------------fix this`````````Anti-malware/Other Utilities Check:`````````Malwarebytes Anti-Malware version 1.62.0.1300JavaFX 2.0.2 <------uninstallJavaFX 2.0.2 SDK <------uninstallJava™ 6 Update 25 <------uninstallJava™ 7 Update 2 <---update itJava™ 6 Update 4 <------uninstallJava™ SE Development Kit 7 <------uninstall if you don't use itJava™ SE Development Kit 7 Update 2 <------uninstall if you don't use itJava version out of Date!Adobe Flash Player 10 Flash Player out of Date! <---updateAdobe Flash Player 11.3.300.270Adobe Reader 8 Adobe Reader out of Date! <---updateMozilla Firefox (14.0.1)Google Chrome 21.0.1180.79Google Chrome 21.0.1180.83Several of your programs are out of dateOlder versions are vulnerable to malware...please update or uninstall themYou can find this info in my Preventive Maintenance below~~~~~~~~~~~~~~~~~~~~A little clean up to do....Please Uninstall ComboFix: (if you used it)Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)---------------------------------Please download OTL from one of the links below: (you may already have OTL on the system)http://oldtimer.geekstogo.com/OTL.exehttp://oldtimer.geekstogo.com/OTL.comhttp://www.itxassoci...T-Tools/OTL.exeSave it to your desktop.Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)Any other programs or logs you can manually delete.IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....-------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 29, 2012 ID:591203 Share Posted August 29, 2012 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts