Jump to content

Virus removed, but still need help


Recommended Posts

Okay, per prior instructions, I'm posting this in here (I unknowingly posted it in the wrong section because I could not see a link to this one). Te below is what I'd originally posted; as I specify there, the virus is gone but I still have some minor problems (and yes, the infection was the same exact one, which is why I followed the instructions I found in the thread I'd referenced originally). So, please let me know if you're going to need the OTL reports or not. Thanks in advance for your help.

+++++++++++++++++++++++

Hello! I'm going to reference this thread because it's practically already done everything for me:

http://forums.malwar...showtopic=83625

So, I'm virus-free now, thanks to your software, and can see my desktop icons BUT I still can't see many of the programs that were hidden. I have performed this additional step in my DOS window:

c:> attrib -h /s /d

which gets me a lot of "Not resetting [filename]" and "Access denied" lines, but I don't know whether or not that's normal.

My folder options are already set to view hidden files, inclusing system ones.

What I can't see, for example, are some items under START>ACCESSORIES, like PAINT, CALCULATOR and shortcuts of those and other programs that I'd added to the top of my start menu and my desktop.

I have run OTL per Spy Sentinel's instructions in the above-referenced thread, but I assume that the section I need to paste when running the fix is different, since my computer is not the same; can you please tell me what the pasting section would be? I'll post the specs from running OTL as soon as it's done - thanks in advance!!!

Link to post
Share on other sites

Hello BlancheC! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Please follow the instructions here and post the log files in your next reply:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

Thanks, Maniac... here is the pasted text:

+++++++++++++++++++++

DDS

+++++++++++++++++++++

DDS (Ver_2012-10-19.01) - NTFS_x86

Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_24

Run by PetiteMaman at 10:49:26 on 2012-11-03

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2938.1542 [GMT -7:00]

.

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\RtkAudioService.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Sony\VAIO Care\VCsystray.exe

C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe

C:\Program Files\Fitbit\fitbit.exe

c:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Sony\VAIO Care\collsvc.exe

C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Sony\VAIO Care\listener.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Sony\ISB Utility\ISBMgr.exe

C:\Windows\System32\hkcmd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Fitbit\fitbit-tray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\Program Files\Sony\VAIO Power Management\SPMService.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Windows\system32\conime.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_278.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_278.exe

C:\Windows\System32\mobsync.exe

C:\Users\PetiteMaman\AppData\Roaming\mjusbsp\magicJack.exe

C:\Windows\Explorer.EXE

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://facebook.com/

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNYR&bmod=SNYR

uURLSearchHooks: {d4330680-c0ae-4226-8a21-0afe2fd1ac24} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [cdloader] "c:\users\petitemaman\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Fitbit Service Monitor] c:\program files\fitbit\fitbit-tray.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iSBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [VAIOMyMemCenter] "c:\program files\sony\vaio my memory center\VAIO MyMemCenter.exe" 1

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [VWLASU] "c:\program files\sony\vaio wireless wizard\AutoLaunchWLASU.exe"

mRun: [VAIOSurvey] "c:\program files\sony\vaio survey\VAIO Sat Survey.exe"

mRun: [VAIORegistration] "c:\program files\sony\first experience\WelcomeLauncher.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

LSP: mswsock.dll

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: NameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{244EED3D-6D0B-4CB7-963D-3D0D75B6186F} : DHCPNameServer = 192.168.0.1 192.168.0.1

TCP: Interfaces\{D10402C1-9CDE-4582-A6B7-6C0D33B0E7BC} : DHCPNameServer = 192.168.5.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\petitemaman\appdata\roaming\mozilla\firefox\profiles\jsxvaje4.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://facebook.com/

FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bc183c01e-0e23-4225-9a62-521496760e1d%7D&mid=9d3711a6fe1e47d0808cd154fc4d28c3-beb4591de9725bd388433d865b2a6bf2a2b19a58&ds=ft011&v=11.1.0.12〈=en&pr=sa&d=2012-07-07%2000%3A15%3A49&sap=ku&q=

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\abhelperxpcom.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff10\abhelperxpcom10.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff11\abhelperxpcom11.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff12\abhelperxpcom12.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff4\abhelperxpcom4.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff5\abhelperxpcom5.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff6\abhelperxpcom6.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff7\abhelperxpcom7.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff8\abhelperxpcom8.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\kavantibanner@kaspersky.ru\components\ff9\abhelperxpcom9.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff10\kavlinkfilter10.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff11\kavlinkfilter11.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff12\kavlinkfilter12.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff4\kavlinkfilter4.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff5\kavlinkfilter5.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff6\kavlinkfilter6.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff7\kavlinkfilter7.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff8\kavlinkfilter8.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\ff9\kavlinkfilter9.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff10\ffvkplugin10.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff11\ffvkplugin11.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff12\ffvkplugin12.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff4\ffvkplugin4.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff5\ffvkplugin5.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff6\ffvkplugin6.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff7\ffvkplugin7.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff8\ffvkplugin8.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ff9\ffvkplugin9.dll

FF - component: c:\program files\kaspersky lab\kaspersky internet security 2012\ffext\virtualkeyboard@kaspersky.ru\components\ffvkplugin.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll

.

============= SERVICES / DRIVERS ===============

.

R2 Fitbit;Fitbit Data Uploader;c:\program files\fitbit\fitbit.exe [2012-5-24 788000]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-2-6 13672]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-11-2 399432]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

R2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [2008-10-29 104992]

R2 SampleCollector;Intel® Sample Collector;c:\program files\sony\vaio care\collsvc.exe [2011-2-16 122880]

R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects 2\uCamMonitor.exe [2011-2-16 104960]

R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2008-10-29 415584]

R2 VCFw;VAIO Content Folder Watcher;c:\program files\common files\sony shared\vaio content folder watcher\VCFw.exe [2008-9-3 446464]

R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2011-2-16 17920]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-11-2 22856]

R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-10-29 9344]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-11-2 676936]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-16 129976]

S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2012-5-24 21992]

S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\sony\vaio media plus\SOHCImp.exe [2011-2-16 103712]

S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\sony\vaio media plus\SOHDms.exe [2011-2-16 353568]

S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\sony\vaio media plus\SOHDs.exe [2011-2-16 62752]

S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2011-2-16 337184]

S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2011-2-16 83232]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

ShellExec: VCExporterLaunch.exe: open="c:\program files\sony\vaio vp utilities\VCELaunch.exe" "%1"

.

=============== Created Last 30 ================

.

2012-11-03 01:17:15 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-03 01:17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-03 01:16:51 10669952 ----a-w- c:\users\petitemaman\appdata\roaming\microsoft\windows\start menu\programs\virus\malwarebytes' anti-malware\mbam-setup-1.65.1.1000.exe

2012-10-24 06:28:49 -------- d-----w- c:\users\petitemaman\appdata\local\Apple Computer

.

==================== Find3M ====================

.

2012-10-06 05:15:50 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-10-06 05:15:50 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6001 Disk: ST925031 rev.0001 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

.

device: opened successfully

user: error reading MBR

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll

1 ntkrnlpa!IofCallDriver[0x82AC920F] -> \Device\Harddisk0\DR0[0x86A718B0]

3 CLASSPNP[0x8ADA5745] -> ntkrnlpa!IofCallDriver[0x82AC920F] -> [0x85695700]

error: Read The request could not be performed because of an I/O device error.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

user != kernel MBR !!!

.

============= FINISH: 10:52:13.96 ===============

+++++++++++++++++++++

ATTACH

+++++++++++++++++++++

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-10-19.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 2/16/2011 8:53:06 PM

System Uptime: 11/2/2012 9:00:18 PM (13 hours ago)

.

Motherboard: Sony Corporation | | VAIO

Processor: Intel® Pentium® Dual CPU T3400 @ 2.16GHz | N/A | 2166/166mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 224 GiB total, 158.832 GiB free.

D: is Removable

E: is Removable

F: is CDROM ()

H: is CDROM ()

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP670: 10/25/2012 8:52:13 AM - Scheduled Checkpoint

RP671: 10/25/2012 2:00:05 PM - Windows Update

RP672: 10/26/2012 2:00:25 PM - Windows Update

RP673: 10/27/2012 2:00:05 PM - Windows Update

RP674: 10/28/2012 1:48:36 AM - Windows Update

RP675: 10/28/2012 1:58:50 PM - Windows Update

RP676: 10/29/2012 1:59:38 PM - Windows Update

RP677: 10/30/2012 2:01:08 PM - Windows Update

RP678: 10/31/2012 2:00:12 PM - Windows Update

RP679: 11/2/2012 10:36:01 PM - Scheduled Checkpoint

RP680: 11/3/2012 10:18:53 AM - VAIO Care Automatic Restore Point

.

==== Installed Programs ======================

.

Acrobat.com

Ad-Aware SE Personal

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9.5.2

Apple Application Support

Apple Software Update

ArcSoft Magic-i Visual Effects 2

ArcSoft WebCam Companion 2

Brother MFL-Pro Suite MFC-290C

CamStudio

Click to Disc

Click to Disc Editor

Compatibility Pack for the 2007 Office system

Cucusoft YouTube Mate 8.15

doPDF 7.2 printer

Fitbit Base Station (Driver Removal)

Fitbit v2.1.0

HDAUDIO SoftV92 Data Fax Modem with SmartCP

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Intel® Graphics Media Accelerator Driver

Java Auto Updater

Java 6 Update 24

Java SE Runtime Environment 6

magicJack

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Office Professional Edition 2003

Microsoft Visual C++ 2005 Redistributable

Mozilla Firefox 12.0 (x86 en-US)

Mozilla Maintenance Service

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

Music Transfer

OpenMG Secure Module 5.1.00

Opera 11.01

Primo

Realtek High Definition Audio Driver

Roxio Central Audio

Roxio Central Copy

Roxio Central Core

Roxio Central Data

Roxio Central Tools

Roxio Easy Media Creator 10 LJ

Roxio Easy Media Creator Home

Safari

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Setting Utility Series

Skype™ 5.10

Sony Picture Utility

Sony Video Shared Library

Spelling Dictionaries Support For Adobe Reader 9

Spybot - Search & Destroy 1.2

SupportSoft Assisted Service

Synaptics Pointing Device Driver

Trojan Remover 6.1.9

TurboTax 2010

TurboTax 2010 wcaiper

TurboTax 2010 WinPerFedFormset

TurboTax 2010 WinPerReleaseEngine

TurboTax 2010 WinPerTaxSupport

TurboTax 2010 wrapper

TurboTax 2011

TurboTax 2011 wcaiper

TurboTax 2011 WinPerFedFormset

TurboTax 2011 WinPerReleaseEngine

TurboTax 2011 WinPerTaxSupport

TurboTax 2011 wrapper

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

VAIO Care

VAIO Content Folder Setting

VAIO Content Folder Watcher

VAIO Content Metadata Intelligent Analyzing Manager

VAIO Content Metadata Manager Setting

VAIO Content Metadata XML Interface Library

VAIO Control Center

VAIO Data Restore Tool

VAIO DVD Menu Data Basic

VAIO Entertainment Platform

VAIO Event Service

VAIO Help and Support

VAIO Launcher

VAIO Media plus

VAIO Media plus Opening Movie

VAIO Movie Story

VAIO Movie Story Template Data

VAIO MusicBox

VAIO MusicBox Sample Music

VAIO My Memory Center

VAIO OOBE and Welcome Center

VAIO Original Function Setting

VAIO Power Management

VAIO Presentation Support

VAIO Startup Assistant

VAIO Survey

VAIO Update 4

VAIO Wallpaper Contents

VAIO Wireless Wizard

VLC media player 1.1.7

WinDVD for VAIO

WinRAR 4.10 (32-bit)

WinZip 14.0

.

==== Event Viewer Messages From Past Week ========

.

11/2/2012 9:02:19 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

11/2/2012 9:01:10 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 126

11/2/2012 2:55:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}

11/2/2012 10:27:55 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

11/1/2012 9:25:44 PM, Error: Microsoft Antimalware [2001] -

11/1/2012 9:25:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

11/1/2012 9:13:51 PM, Error: EventLog [6008] - The previous system shutdown at 11:22:29 AM on 11/1/2012 was unexpected.

11/1/2012 11:06:52 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

11/1/2012 11:05:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

11/1/2012 11:01:30 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: DMICall MpFilter spldr Wanarpv6

11/1/2012 11:01:30 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

11/1/2012 11:00:49 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

11/1/2012 11:00:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

11/1/2012 11:00:40 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

11/1/2012 11:00:35 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21

10/29/2012 6:48:14 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 75.51.79.57 for the Network Card with network address 001DBAA9C130 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

10/29/2012 3:52:11 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 75.51.68.242 for the Network Card with network address 001DBAA9C130 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

10/27/2012 11:36:06 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the VzCdbSvc service.

10/27/2012 11:26:31 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 001DBAA9C130 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

10/27/2012 11:23:57 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 75.51.64.70 for the Network Card with network address 001DBAA9C130 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

.

==== End Of File ===========================

Link to post
Share on other sites

Thanks for your information!

Step 1

Please follow the instructions here to get rid of leftovers from Kaspersky:

http://support.kaspersky.com/faq/?qid=208279463

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • a new fresh DDS log

Link to post
Share on other sites

Thanks, Maniac - the aswMBR downloads just fine, but when I double-click it nothing happens. I've tried several times, rebooted a few times and re-downloaded t but still the same, nothing happens upon double-clicking it. So, I'm including the MBAM log but I don't know if you want me to re-run DDS without having run aswMBR. Please let me know what you need me to do.

++++++++++++++++++++++++++++++++++++++++

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.05.01

Windows Vista Service Pack 1 x86 NTFS

Internet Explorer 7.0.6001.18000

PetiteMaman :: PETITEMAMAN [administrator]

11/4/2012 8:23:17 PM

mbam-log-2012-11-04 (20-23-17).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 194317

Time elapsed: 5 minute(s), 30 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 2

HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-18\$7a0daef9b8b6cb036950af24afb4d8e1\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\$Recycle.Bin\S-1-5-21-561347676-892244705-3722214740-1000\$7a0daef9b8b6cb036950af24afb4d8e1\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\$Recycle.Bin\S-1-5-18\$7a0daef9b8b6cb036950af24afb4d8e1\n (Trojan.Ransom) -> Delete on reboot.

C:\$Recycle.Bin\S-1-5-21-561347676-892244705-3722214740-1000\$7a0daef9b8b6cb036950af24afb4d8e1\n (Trojan.Ransom) -> Delete on reboot.

C:\Windows\assembly\GAC\Desktop.ini (Rootkit.0access) -> Delete on reboot.

(end)

Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Link to post
Share on other sites

Well, that's not happy news!! I didn't think it would be that bad, and that's odd because I never download anything, so how I got one of those is beyond me :(

Let's clean the computer, but I'm doing all that you suggested anyway - I'll have to call everyone tomorrow to change my passwords and alert them about what's been going on. Can you tell me what is approximately the time it would take for the hackers to get to my information? Meaning, given that they usually gather information for many computers, how do they know when they got mine and how soon might they try accessing my info? I just wiped out all the passwords on this computer and won't be using it past today, but I don't know if I'd notice when they're accessing it...

Link to post
Share on other sites

Can you tell me what is approximately the time it would take for the hackers to get to my information?

At the moment your system has been infected a second cyber criminals have access to your information. Everything depends on them.

Meaning, given that they usually gather information for many computers, how do they know when they got mine and how soon might they try accessing my info?

I understand that you are trying to add the issue to the list of probabilities, but they have a list of all infected systems and can come in any one at any time without even noticing.

I just wiped out all the passwords on this computer and won't be using it past today, but I don't know if I'd notice when they're accessing it...

No, you won't notice that.

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.