Jump to content

Badly infected laptop, prevents any AV installation please help


Recommended Posts

Hello,

First off, I'd like to thank you for your help and time in helping me resolve this sitation. My situation is as follows:

I'm attempting to fix my sister's old laptop because she needs it for school. Unfortunately, I don't think I've succeeded even after running my trusty Malwarebytes once to clean up all infections. So far here are the symptoms I've seen:

(1) I cannot install any anti-virus program. I made a mistake of deleting her old Microsoft Security Essentials because I was going to replace it with Avast but I found out the hard way that whatever is in the laptop is preventing me from installing any anti-virus program. I downloaded and attempted to install Avast but I keep getting an error message, the same thing happened when I tried updating her old MSE program prior to uninstalling it. I've only been able to install Malwarebytes through a disk.

(2) Everytime at start up I get a notification that Windows cannot check for updates.

So far, I have not attempted to update any programs even though they are sorely out of date. I figured it was better to clean the laptop first before installing anything new.

Here is the latest Malwarebytes log:

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.10.07.04

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.16757

Admin :: JANE-LAPTOP [administrator]

Protection: Enabled

10/7/2012 9:35:05 PM

mbam-log-2012-10-07 (21-35-05).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 343752

Time elapsed: 3 hour(s), 27 minute(s), 23 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 5

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Cralozi (IPH.Trojan.Hiloti.7B) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\ukijafecuficawa.dll",Startup -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{ED92A7AA-385B-5FC7-7A1F-CDDB4B5387AB} (Trojan.Agent) -> Data: C:\Users\Admin\AppData\Roaming\Ipxumo\pieli.exe -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows Media Player ACM (Trojan.Agent) -> Data: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Media\12.0\wmpacm.exe -> Quarantined and deleted successfully.

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SQYJBiKnjSxs (Trojan.Agent) -> Data: C:\ProgramData\SQYJBiKnjSxs.exe -> Quarantined and deleted successfully.

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Qnuva (Trojan.Hiloti) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\elevcecl.dll",Startup -> Quarantined and deleted successfully.

Registry Data Items Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 1

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.

Files Detected: 26

C:\Windows\Temp\totm\setup.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Windows\Temp\uoxp\setup.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Windows\Temp\xfuv\setup.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Windows\Temp\egocarh.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RQ62PMQR\zzjwaaosf[1].htm (Adware.BHO) -> Quarantined and deleted successfully.

C:\Temp\ee896009-2241-4d1a-94b7-8f476921cf1c\setup_onCP32fsp2.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\ukijafecuficawa.dll (IPH.Trojan.Hiloti.7B) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows Media\12.0\locale.cls (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I1AVTAFW\fcppqhklp[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\Temp\ibbd\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows Media\12.0\wmpacm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\Admin\AppData\Roaming\Ipxumo\pieli.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\ProgramData\SQYJBiKnjSxs.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ykhyxo.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\Temp\hipq\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I1AVTAFW\jjnaeeiz[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Temp\ee896009-2241-4d1a-94b7-8f476921cf1c\OfferApp-2538.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\Desktop\Windows Recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\Users\Jane\Desktop\Windows Recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\ProgramData\28630816.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EGXVGXYG\tgtkk[1].htm (Trojan.FakeMS) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I1AVTAFW\pptgxlb[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Windows\Temp\goenlnjp.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\Windows\System32\config\systemprofile\AppData\Local\elevcecl.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

(end)

(2) DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6000.16757 BrowserJavaVersion: 1.6.0_23

Run by Admin at 2:24:08 on 2012-10-08

Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1526.720 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

C:\Acer\Mobility Center\MobilityService.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Acer\Acer Arcade\PCMService.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Logitech\Logitech Vid\Vid.exe

C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Users\Admin\AppData\Local\Temp\RtkBtMnt.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\igfxext.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Windows\System32\svchost.exe -k secsvcs

c:\program files\windows defender\MpCmdRun.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

mStart Page = hxxp://en.us.acer.yahoo.com

mDefault_Page_URL = hxxp://en.us.acer.yahoo.com

uInternet Settings,ProxyOverride = <local>;*.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mWinlogon: Userinit=userinit.exe,

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0

uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background

uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [Acer Tour Reminder]

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [PCMService] "c:\program files\acer\acer arcade\PCMService.exe"

mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE

mRun: [Acer Tour]

mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup

mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe

mRun: [eRecoveryService]

mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe

dPolicies-system: DisableTaskMgr = 1 (0x1)

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1 75.75.76.76 75.75.75.75

TCP: Interfaces\{F8D06BCE-A473-47F9-BD24-483AE3E9FEE7} : DhcpNameServer = 192.168.2.1 75.75.76.76 75.75.75.75

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\nz1gm4bb.default\

FF - prefs.js: browser.startup.homepage - hxxp://msn.com/

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-7 399432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-7 676936]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2012-10-7 95232]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-22 24652]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-7 22856]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

.

=============== Created Last 30 ================

.

2012-10-08 06:17:13 -------- d-----w- c:\programdata\AVAST Software

2012-10-08 06:17:13 -------- d-----w- c:\program files\AVAST Software

2012-10-08 01:32:46 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes

2012-10-08 01:32:34 -------- d-----w- c:\programdata\Malwarebytes

2012-10-08 01:32:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-08 01:32:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2012-10-08 05:37:01 735142 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6000 Disk: ST980811AS rev.3.ALD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85061555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x850677b0]; MOV EAX, [0x8506782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x81C27F37] -> \Device\Harddisk0\DR0[0x84486978]

3 nt[0x81CB07E2] -> ntkrnlpa!IofCallDriver[0x81C27F37] -> [0x83AC6858]

5 acpi[0x8066932A] -> ntkrnlpa!IofCallDriver[0x81C27F37] -> [0x83AD0BB0]

\Driver\atapi[0x84ED76B0] -> IRP_MJ_CREATE -> 0x85061555

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST980811AS______________________________3.ALD___#5&6e9d76b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user != kernel MBR !!!

sectors 156301486 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

.

============= FINISH: 2:25:04.32 ===============

** I tried attaching the "Attach log" but I couldn't figure out how to compress the file. I right click and clicked on "send to" but all that came up was send to E-drive instead of compressed folder.

Link to post
Share on other sites

Hello virusesmustdie! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please post the content of Attach.txt in your next reply here.

Link to post
Share on other sites

Hello Maniac,

Thank you for your help! I feared that it was in fact a backdoor virus due to the volume of viruses and its malicious nature but to Yes, I would like us to please fix the computer so that way my sister can at least retrieve documents from the comp, I just have two questions:

(1) After we clean the comp, would it be safe to transfer pictures/documents from this computer to another comp? Or would I risk transferring the virus over to the newer comp?

(2) Is it safe to connect this computer to our home internet, or am I risking spreading the virus to other computers via the router?

Thanks!

Here is the the Attach.txt: :D

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume2

Install Date: 5/23/2007 8:37:37 AM

System Uptime: 10/8/2012 1:30:23 AM (1 hours ago)

.

Motherboard: Acer, Inc. | | Prespa1

Processor: Intel® Celeron® M CPU 440 @ 1.86GHz | U2E1 | 1866/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 34 GiB total, 0.405 GiB free.

D: is FIXED (NTFS) - 33 GiB total, 0.595 GiB free.

E: is CDROM (UDF)

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Microsoft ISATAP Adapter

Device ID: ROOT\*ISATAP\0001

Manufacturer: Microsoft

Name: Microsoft ISATAP Adapter #2

PNP Device ID: ROOT\*ISATAP\0001

Service: tunnel

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Acer Arcade

Acer Assist

Acer Empowering Technology

Acer GridVista

Acer Mobility Center Plug-In

Acer Registration

Acer ScreenSaver

Acer Tour

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Flash Player ActiveX

Adobe Reader X (10.0.1)

Adobe Shockwave Player 11

Agere Systems HDA Modem

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft TotalMedia Backup & Record

AutoUpdate

Bonjour

DivX Codec

DivX Content Uploader

DivX Converter

DivX Player

DivX Web Player

Intel® Graphics Media Accelerator Driver

iTunes

J2SE Runtime Environment 5.0 Update 12

Java Auto Updater

Java 6 Update 23

Launch Manager

LightScribe 1.4.136.1

LimeWire 5.5.16

Logitech Vid

Logitech Webcam Software

Logitech Webcam Software Driver Package

Malwarebytes Anti-Malware version 1.65.0.1400

McAfee Security Scan Plus

McAfee SiteAdvisor

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox 4.0 (x86 en-US)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

NTI Backup NOW! 4.7

NTI CD & DVD-Maker

NVIDIA Drivers

QuickTime

Realtek High Definition Audio Driver

SUPERAntiSpyware

Synaptics Pointing Device Driver

Texas Instruments PCIxx21/x515/xx12 drivers.

TIPCI

Viewpoint Media Player

.

==== Event Viewer Messages From Past Week ========

.

10/8/2012 1:30:49 AM, Error: EventLog [6008] - The previous system shutdown at 1:28:58 AM on 10/8/2012 was unexpected.

10/7/2012 9:42:29 PM, Error: Microsoft Antimalware [1014] -

10/7/2012 9:38:00 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

10/7/2012 9:27:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

10/7/2012 9:26:59 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MpFilter SASDIFSV SASKUTIL spldr Wanarpv6

10/7/2012 9:26:39 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.12 for the Network Card with network address 00197E6A6F0A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

10/7/2012 9:18:39 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC MpFilter NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr Tcpip tdx Wanarpv6

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:39 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

10/7/2012 9:18:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

10/7/2012 9:18:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

10/7/2012 9:17:50 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

10/7/2012 9:17:50 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

10/7/2012 9:17:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

10/7/2012 9:17:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

.

==== End Of File ===========================

Link to post
Share on other sites

(1) After we clean the comp, would it be safe to transfer pictures/documents from this computer to another comp? Or would I risk transferring the virus over to the newer comp?

It is safe for text files and pictures.

(2) Is it safe to connect this computer to our home internet, or am I risking spreading the virus to other computers via the router?

Everything would be fine if you do not share files via your home network.

Step 1

Please uninstall the following programs:

LimeWire 5.5.16

Viewpoint Media Player

Step 2

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • TDSSKiller log
  • Malwarebytes' Anti-Malware log
  • a new fresh DDS log

Link to post
Share on other sites

Hello Maniac,

Thanks again for you help, it looks like it found and removed a rootkit but unfortunately, I still see some symptoms:

(1) Stil can't update via windows update and I don't think it's going to let me install an AV program.

(2) For some reason my trial for Malwarebytes Pro Protection ended abruptly short of the 13 day trial.

Here's the logs you've asked for: :)

(1) TDDS Log

*** Attached Below (said it was too long to post) ***

(2) Malwarebytes Log

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.10.11.03

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.16757

Admin :: JANE-LAPTOP [administrator]

Protection: Enabled

10/10/2012 9:38:40 PM

mbam-log-2012-10-10 (21-38-40).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 359906

Time elapsed: 43 minute(s), 41 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\TDSSKiller_Quarantine\10.10.2012_21.23.05\mbr0000\tdlfs0000\tsk0007.dta (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\TDSSKiller_Quarantine\10.10.2012_21.23.05\mbr0000\tdlfs0000\tsk0008.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\TDSSKiller_Quarantine\10.10.2012_21.23.05\mbr0000\tdlfs0000\tsk0012.dta (Malware.Gen) -> Quarantined and deleted successfully.

(end)

(3) DDS Log #2

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6000.16757 BrowserJavaVersion: 1.6.0_23

Run by Admin at 22:31:07 on 2012-10-10

Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1526.745 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

C:\Acer\Mobility Center\MobilityService.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Acer\Acer Arcade\PCMService.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\Windows\WindowsMobile\wmdSync.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Users\Admin\AppData\Local\Temp\RtkBtMnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\system32\svchost.exe -k WindowsMobile

C:\Windows\System32\mobsync.exe

C:\Program Files\Logitech\Logitech Vid\Vid.exe

C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\wuauclt.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

.

============== Pseudo HJT Report ===============

.

mStart Page = hxxp://en.us.acer.yahoo.com

mDefault_Page_URL = hxxp://en.us.acer.yahoo.com

uInternet Settings,ProxyOverride = <local>;*.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

mWinlogon: Userinit=userinit.exe,

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0

uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background

uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [Acer Tour Reminder]

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [PCMService] "c:\program files\acer\acer arcade\PCMService.exe"

mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE

mRun: [Acer Tour]

mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup

mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe

mRun: [eRecoveryService]

mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe

dPolicies-system: DisableTaskMgr = 1 (0x1)

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

TCP: DhcpNameServer = 192.168.253.14

TCP: Interfaces\{F8D06BCE-A473-47F9-BD24-483AE3E9FEE7} : DhcpNameServer = 192.168.253.14

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\nz1gm4bb.default\

FF - prefs.js: browser.startup.homepage - hxxp://msn.com/

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-7 399432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-7 676936]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2012-10-7 95232]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-7 22856]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

.

=============== Created Last 30 ================

.

2012-10-11 01:30:43 -------- d-----w- C:\TDSSKiller_Quarantine

2012-10-08 06:17:13 -------- d-----w- c:\programdata\AVAST Software

2012-10-08 06:17:13 -------- d-----w- c:\program files\AVAST Software

2012-10-08 01:32:46 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes

2012-10-08 01:32:34 -------- d-----w- c:\programdata\Malwarebytes

2012-10-08 01:32:33 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-08 01:32:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2012-10-11 01:36:56 735142 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

============= FINISH: 22:32:01.06 ===============

TDSSKiller.2.8.10.0_10.10.2012_21.23.05_log.txt

Link to post
Share on other sites

We are not done yet. Please follow my instructions more carefully.

Step 1

Please re-run TDSSKiller and use Delete option for this entry:

21:30:47.0780 3764 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

21:30:47.0780 3764 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Link to post
Share on other sites

Hello again,

Looks like we're almost there. Malwarebytes trial is now back on-line but unfortunately, I still can't update Windows or any AV programs/ Anti-malmare programs besides Malwarebytes.. man this infection is tough!

Here's the Mbam Log:

Malwarebytes Anti-Malware (Trial) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.10.13.01

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.16757

Admin :: JANE-LAPTOP [administrator]

Protection: Enabled

10/13/2012 12:50:07 AM

mbam-log-2012-10-13 (00-50-07).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 343019

Time elapsed: 50 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 7

HKCR\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401} (Adware.Yontoo) -> Quarantined and deleted successfully.

HKCR\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401} (Adware.Yontoo) -> Quarantined and deleted successfully.

HKCR\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967} (Adware.Yontoo) -> Quarantined and deleted successfully.

HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> Quarantined and deleted successfully.

HKCR\YontooIEClient.Layers.1 (Adware.Yontoo) -> Quarantined and deleted successfully.

HKCR\YontooIEClient.Layers (Adware.Yontoo) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} (Adware.Yontoo) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Program Files\Drop Down Deals\YontooIEClient.dll (Adware.Yontoo) -> Quarantined and deleted successfully.

C:\Program Files\Yontoo Layers Client\YontooIEClient.dll (Adware.Yontoo) -> Quarantined and deleted successfully.

C:\TDSSKiller_Quarantine\13.10.2012_00.41.47\tdlfs0000\tsk0007.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\TDSSKiller_Quarantine\13.10.2012_00.41.47\tdlfs0000\tsk0010.dta (Malware.Gen) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

Yes, I know is hard, but please focus. Repeat with Malwarebytes' Anti-Malware again:

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Link to post
Share on other sites

Hello,

Sorry for the late reply, been really busy lately. Here's the log you asked for:

p.s. I followed it step by step this time, hahaha. :P

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.10.17.13

Windows Vista x86 NTFS

Internet Explorer 7.0.6000.16757

Admin :: JANE-LAPTOP [administrator]

Protection: Enabled

10/17/2012 8:44:18 PM

mbam-log-2012-10-17 (20-44-18).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 232737

Time elapsed: 10 minute(s), 52 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Note: Please do not run this tool without special supervision and instruction of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

  • 3 weeks later...
  • 4 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.