Jump to content

Google Redirect Virus/Issue


Recommended Posts

Hello,

Some co-workers of mine have used this site before and recommended me to come here for some help. I have ran MB and it found a couple "infections" I thought that I had solved the issue. However today I am still getting redirects when googling to http://63.209.69.107 and few other addresses. I honestly have no clue what else to do in these case so I came here for help.

I have attached the logs below, any help would be greatly appreciated.

Thanks ahead!

attach.txt

dds.txt

Link to post
Share on other sites

  • Staff

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to the disclaimer.

[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there

[*]Press Scan button.

[*]type exit and reboot the computer normally

[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Link to post
Share on other sites

Sorry it took so long my computer was giving me a hard time. Here is the FRST Log included below

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2012

Ran by SYSTEM at 27-11-2012 09:40:11

Running from I:\

Windows 7 Professional (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)

HKLM\...\Run: [Communicator] "C:\Program Files\Microsoft Lync\communicator.exe" /fromrunkey [12099672 2012-06-11] (Microsoft Corporation)

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13683232 2009-02-26] (NVIDIA Corporation)

HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2009-02-26] (NVIDIA Corporation)

HKLM\...\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2005-02-16] (InstallShield Software Corporation)

HKLM\...\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash [306928 2012-06-26] (F-Secure Corporation)

HKLM\...\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW [1654512 2012-06-26] (F-Secure Corporation)

HKLM\...\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" [401408 2009-12-01] (Intel Corporation)

HKLM\...\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKU\twheeler.MCOLLINS\...\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup [221184 2005-02-16] (InstallShield Software Corporation)

HKU\twheeler.MCOLLINS\...\Run: [spotify] "C:\Users\twheeler.MCOLLINS\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [7880664 2012-11-05] (Spotify Ltd)

HKU\twheeler.MCOLLINS\...\Run: [spotify Web Helper] "C:\Users\twheeler.MCOLLINS\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-11-05] (Spotify Ltd)

HKU\twheeler.MCOLLINS\...\Run: [ngeca] "C:\Windows\System32\rundll32.exe" "C:\Users\twheeler.MCOLLINS\AppData\Roaming\ngeca.dll",EOFError [351232 2012-11-15] (Promise Technology,Inc)

HKU\twheeler.MCOLLINS\...\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4763008 2012-11-01] (SUPERAntiSpyware.com)

HKU\twheeler.MCOLLINS\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex [692152 2012-10-08] (Adobe Systems Incorporated)

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess

Tcpip\Parameters: [DhcpNameServer] 10.7.7.204 10.7.7.154 10.7.7.203

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2012-07-11] (SUPERAntiSpyware.com)

2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation)

2 CoreScanner; "C:\Program Files\Motorola Scanner\Common\CoreScanner.exe" [217088 2011-06-13] (Motorola Solutions, Inc.)

2 F-Secure Gatekeeper Handler Starter; "C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe" [220912 2012-06-26] (F-Secure Corporation)

3 F-Secure Network Request Broker; "C:\Program Files\F-Secure\Common\FNRB32.EXE" [188144 2012-06-26] (F-Secure Corporation)

2 fsdevcon; "C:\Program Files\F-Secure\Device Control\\fsdevcon32.exe" [404160 2012-02-06] (F-Secure Corporation)

3 FSDFWD; "C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe" [557760 2012-02-06] (F-Secure Corporation)

2 FSMA; "C:\Program Files\F-Secure\Common\FSMA32.EXE" [188144 2012-06-26] (F-Secure Corporation)

3 FSORSPClient; "C:\Program Files\F-Secure\ORSP Client\fsorsp.exe" [62144 2012-02-06] (F-Secure Corporation)

2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel)

2 rsmdriverproviderservice; C:\Program Files\Motorola Scanner\Common\RSMDriverProviderService.exe [61440 2011-06-13] (Motorola Solutions, Inc.)

2 ScnSrvc; C:\Program Files\Motorola Scanner\Common\ScannerService.exe [176128 2011-06-13] (Motorola Solutions, Inc.)

2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel)

==================== Drivers (Whitelisted) ====================

3 Andbus; C:\Windows\System32\DRIVERS\lgandbus.sys [14336 2010-08-02] (LG Electronics Inc.)

3 AndDiag; C:\Windows\System32\DRIVERS\lganddiag.sys [20864 2010-08-02] (LG Electronics Inc.)

3 AndGps; C:\Windows\System32\DRIVERS\lgandgps.sys [19968 2010-08-02] (LG Electronics Inc.)

3 ANDModem; C:\Windows\System32\DRIVERS\lgandmodem.sys [24960 2010-08-02] (LG Electronics Inc.)

3 androidusb; C:\Windows\System32\Drivers\lgandadb.sys [25728 2010-08-02] (Google Inc)

4 F-Secure Filter; \??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [41072 2012-06-26] ()

3 F-Secure Gatekeeper; \??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [144440 2012-10-31] ()

4 F-Secure Recognizer; \??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [26352 2012-06-26] ()

0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [44240 2012-10-15] ()

1 FSES; C:\Windows\System32\drivers\fses.sys [37952 2012-02-06] (F-Secure Corporation)

1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [73664 2012-02-06] (F-Secure Corporation)

1 fsvista; \??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsvista.sys [13552 2012-06-26] ()

3 MonitorUsbDnld; C:\Windows\System32\Drivers\Symbol_USB_Dwnld.sys [36570 2003-12-01] (Your Corporation)

1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

3 catchme; \??\C:\Users\TWHEEL~1.MCO\AppData\Local\Temp\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2012-11-27 06:16 - 2012-11-27 06:16 - 00907994 ____A (Farbar) C:\Users\twheeler.MCOLLINS\Desktop\FRST.exe

2012-11-27 06:03 - 2012-11-27 06:03 - 00013561 ____A C:\Users\twheeler.MCOLLINS\Desktop\dds.txt

2012-11-27 06:03 - 2012-11-27 06:03 - 00009353 ____A C:\Users\twheeler.MCOLLINS\Desktop\attach.txt

2012-11-27 05:53 - 2012-11-27 05:53 - 00688992 ____R (Swearware) C:\Users\twheeler.MCOLLINS\Desktop\dds.com

2012-11-26 05:54 - 2012-11-26 05:54 - 00000000 ____D C:\Users\twheeler.MCOLLINS\AppData\Roaming\SUPERAntiSpyware.com

2012-11-26 05:53 - 2012-11-26 05:54 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2012-11-26 05:53 - 2012-11-26 05:53 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com

2012-11-20 12:11 - 2012-11-27 06:19 - 00006465 ____A C:\Users\twheeler.MCOLLINS\AppData\Local\chromeupdate.crx

2012-11-15 10:44 - 2012-11-15 10:44 - 00351232 ____A (Promise Technology,Inc) C:\Users\twheeler.MCOLLINS\AppData\Roaming\ngeca.dll

2012-11-14 13:52 - 2012-11-14 13:52 - 00000515 ____A C:\Users\All Users\DVRSupport.log

2012-11-09 10:31 - 2012-11-09 10:31 - 00005548 ____A C:\Users\All Users\DVRClient.log

==================== One Month Modified Files and Folders ========

2012-11-27 09:39 - 2012-11-27 09:39 - 00000000 ____D C:\FRST

2012-11-27 06:20 - 2012-02-03 15:28 - 01607530 ____A C:\Windows\WindowsUpdate.log

2012-11-27 06:19 - 2012-11-20 12:11 - 00006465 ____A C:\Users\twheeler.MCOLLINS\AppData\Local\chromeupdate.crx

2012-11-27 06:18 - 2010-11-20 13:01 - 00737484 ____A C:\Windows\System32\PerfStringBackup.INI

2012-11-27 06:16 - 2012-11-27 06:16 - 00907994 ____A (Farbar) C:\Users\twheeler.MCOLLINS\Desktop\FRST.exe

2012-11-27 06:10 - 2012-02-03 12:31 - 00000248 ____A C:\Windows\System32\config\netlogon.ftl

2012-11-27 06:03 - 2012-11-27 06:03 - 00013561 ____A C:\Users\twheeler.MCOLLINS\Desktop\dds.txt

2012-11-27 06:03 - 2012-11-27 06:03 - 00009353 ____A C:\Users\twheeler.MCOLLINS\Desktop\attach.txt

2012-11-27 05:58 - 2012-09-12 07:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-11-27 05:53 - 2012-11-27 05:53 - 00688992 ____R (Swearware) C:\Users\twheeler.MCOLLINS\Desktop\dds.com

2012-11-27 05:51 - 2012-10-15 08:03 - 00000000 ____D C:\Users\twheeler.MCOLLINS\AppData\Roaming\Spotify

2012-11-26 13:57 - 2012-10-15 08:03 - 00000000 ____D C:\Users\twheeler.MCOLLINS\AppData\Local\Spotify

2012-11-26 11:35 - 2012-09-14 07:45 - 00038400 ____A C:\Users\twheeler.MCOLLINS\Desktop\2001 Dodge Maint-Fuel 11-26-12.xls

2012-11-26 09:15 - 2012-02-08 06:23 - 00002030 ___AH C:\Users\twheeler.MCOLLINS\Documents\Default.rdp

2012-11-26 05:54 - 2012-11-26 05:54 - 00000000 ____D C:\Users\twheeler.MCOLLINS\AppData\Roaming\SUPERAntiSpyware.com

2012-11-26 05:54 - 2012-11-26 05:53 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

2012-11-26 05:53 - 2012-11-26 05:53 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com

2012-11-20 12:15 - 2009-07-13 20:34 - 00025904 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-11-20 12:15 - 2009-07-13 20:34 - 00025904 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-11-20 12:11 - 2012-02-06 05:56 - 00000000 ____D C:\Users\twheeler.MCOLLINS\Tracing

2012-11-20 12:08 - 2012-05-15 05:18 - 00000106 ____A C:\Windows\System32\symbscnr.log

2012-11-20 12:08 - 2012-05-15 05:18 - 00000000 ____A C:\Windows\System32\symbscnrsvc.log

2012-11-20 12:08 - 2010-11-20 13:48 - 00190908 ____A C:\Windows\PFRO.log

2012-11-20 12:08 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-11-20 12:08 - 2009-07-13 20:39 - 00069786 ____A C:\Windows\setupact.log

2012-11-20 11:00 - 2012-05-24 05:05 - 00001063 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-20 11:00 - 2012-05-24 05:05 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-11-15 10:44 - 2012-11-15 10:44 - 00351232 ____A (Promise Technology,Inc) C:\Users\twheeler.MCOLLINS\AppData\Roaming\ngeca.dll

2012-11-15 10:07 - 2012-05-15 05:18 - 00000106 ____A C:\Windows\System32\symbscnr.log.bak

2012-11-14 13:53 - 2012-10-19 07:37 - 00071406 ____A C:\Users\All Users\DVRCommunication.log

2012-11-14 13:52 - 2012-11-14 13:52 - 00000515 ____A C:\Users\All Users\DVRSupport.log

2012-11-13 13:08 - 2012-02-06 06:43 - 00000000 ____D C:\Users\twheeler.MCOLLINS\Desktop\Me

2012-11-09 10:31 - 2012-11-09 10:31 - 00005548 ____A C:\Users\All Users\DVRClient.log

2012-11-02 09:05 - 2012-10-16 06:46 - 00000132 ____A C:\Users\twheeler.MCOLLINS\AppData\Roaming\Adobe GIF Format CS5 Prefs

2012-10-28 13:38 - 2012-02-03 12:33 - 00007748 _RASH C:\Users\All Users\ntuser.pol

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-1582705245-1855416065-7473742-2004\$83ca970dd30cb2574d088815f7c9e83d

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$83ca970dd30cb2574d088815f7c9e83d

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-18 20:00:14

Restore point made on: 2012-10-26 20:00:15

Restore point made on: 2012-11-07 08:41:59

Restore point made on: 2012-11-15 14:22:04

Restore point made on: 2012-11-26 13:36:56

Restore point made on: 2012-11-27 05:48:01

==================== Memory info ===========================

Percentage of memory in use: 21%

Total physical RAM: 3037.61 MB

Available physical RAM: 2397.12 MB

Total Pagefile: 3035.89 MB

Available Pagefile: 2403.64 MB

Total Virtual: 2047.88 MB

Available Virtual: 1954.3 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:149.01 GB) (Free:79.68 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

3 Drive e: (WIN_7_PROFESSIONAL) (CDROM) (Total:4.78 GB) (Free:0 GB) UDF

7 Drive i: (CORSAIR) (Removable) (Total:15.12 GB) (Free:9.84 GB) FAT32

8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 Online 15 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 149 GB 31 KB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 149 GB Healthy

=========================================================

Partitions of Disk 5:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 15 GB 1024 KB

=========================================================

Disk: 5

Partition 1

Type : 0C

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 6 I CORSAIR FAT32 Removable 15 GB Healthy

=========================================================

Last Boot: 2012-11-15 14:14

==================== End Of Log ============================

Link to post
Share on other sites

  • Staff

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\twheeler.MCOLLINS\...\Run: [ngeca] "C:\Windows\System32\rundll32.exe" "C:\Users\twheeler.MCOLLINS\AppData\Roaming\ngeca.dll",EOFError [351232 2012-11-15] (Promise Technology,Inc)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess
2012-11-15 10:44 - 2012-11-15 10:44 - 00351232 ____A (Promise Technology,Inc) C:\Users\twheeler.MCOLLINS\AppData\Roaming\ngeca.dll
C:\$Recycle.Bin\S-1-5-21-1582705245-1855416065-7473742-2004\$83ca970dd30cb2574d088815f7c9e83d
C:\$Recycle.Bin\S-1-5-18\$83ca970dd30cb2574d088815f7c9e83d
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

NEXT

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Thanks again for all of the help, here are the two logs posted below. However after i completed these two steps I am unable to go anywhere on the internet now.

FIXLOG

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-11-2012

Ran by SYSTEM at 2012-11-27 10:11:20 Run:1

Running from I:\

==============================================

HKEY_USERS\twheeler.MCOLLINS\Software\Microsoft\Windows\CurrentVersion\Run\\ngeca Value deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default value was restored successfully .

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}] should be deleted in normal mode (if present).

C:\Users\twheeler.MCOLLINS\AppData\Roaming\ngeca.dll moved successfully.

C:\$Recycle.Bin\S-1-5-21-1582705245-1855416065-7473742-2004\$83ca970dd30cb2574d088815f7c9e83d moved successfully.

C:\$Recycle.Bin\S-1-5-18\$83ca970dd30cb2574d088815f7c9e83d moved successfully.

==== End of Fixlog ====

COMBOFIX

ComboFix 12-11-27.01 - twheeler 11/27/2012 10:19:17.2.2 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3038.2004 [GMT -5:00]

Running from: c:\users\twheeler.MCOLLINS\Desktop\ComboFix.exe

AV: F-Secure Client Security 9.31 *Enabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}

FW: F-Secure Client Security 9.31 *Disabled* {2D7AC0A6-6241-D774-E168-461178D9686C}

SP: F-Secure Client Security 9.31 *Enabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\twheeler.MCOLLINS\Desktop\Internet Explorer.lnk

c:\windows\XSxS

.

.

((((((((((((((((((((((((( Files Created from 2012-10-27 to 2012-11-27 )))))))))))))))))))))))))))))))

.

.

2012-11-27 17:39 . 2012-11-27 17:39 -------- d-----w- C:\FRST

2012-11-27 15:27 . 2012-11-27 15:27 -------- d-----w- c:\users\TWHEEL~1~MCO\AppData\Local\temp

2012-11-27 15:27 . 2012-11-27 15:27 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-11-27 15:27 . 2012-11-27 15:27 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-11-27 15:27 . 2012-11-27 15:27 -------- d-----w- c:\users\twheeler\AppData\Local\temp

2012-11-26 13:54 . 2012-11-26 13:54 -------- d-----w- c:\users\twheeler.MCOLLINS\AppData\Roaming\SUPERAntiSpyware.com

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-15 16:05 . 2012-04-12 21:52 44240 ----a-w- c:\windows\system32\drivers\fsbts.sys

2012-10-09 00:58 . 2012-09-12 15:15 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-09 00:58 . 2012-02-06 14:31 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-30 00:54 . 2012-05-24 13:05 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-28 11:56 . 2012-09-28 11:57 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-28 11:56 . 2012-06-12 17:05 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-28 11:56 . 2012-06-12 17:05 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-16 12:05 . 2012-02-06 13:49 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]

"Spotify"="c:\users\twheeler.MCOLLINS\AppData\Roaming\Spotify\Spotify.exe" [2012-11-05 7880664]

"Spotify Web Helper"="c:\users\twheeler.MCOLLINS\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-11-05 1199576]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2012-06-12 12099672]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-27 13683232]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-27 92704]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2012-06-26 306928]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2012-06-26 1654512]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [x]

R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [x]

R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [x]

R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [x]

R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]

R3 MonitorUsbDnld;SymbolUSBDnld;c:\windows\system32\Drivers\Symbol_USB_Dwnld.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [x]

R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [x]

S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [x]

S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [x]

S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [x]

S1 fsvista;F-Secure Vista Support Driver;c:\program files\F-Secure\Anti-Virus\minifilter\fsvista.sys [x]

S2 CoreScanner;CoreScanner;c:\program files\Motorola Scanner\Common\CoreScanner.exe [x]

S2 fsdevcon;F-Secure Device Control Daemon;c:\program files\F-Secure\Device Control\\fsdevcon32.exe [x]

S2 rsmdriverproviderservice;RSM Driver Provider Service;c:\program files\Motorola Scanner\Common\RSMDriverProviderService.exe [x]

S2 ScnSrvc;Symbol Scanner Management;c:\program files\Motorola Scanner\Common\ScannerService.exe [x]

S2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [x]

S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-12 00:58]

.

2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1582705245-1855416065-7473742-2004Core1cd61a3916fdbd6.job

- c:\users\twheeler.MCOLLINS\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-11 19:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uInternet Settings,ProxyOverride = *.local;<local>

LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll

TCP: DhcpNameServer = 10.7.7.204 10.7.7.154 10.7.7.203

FF - ProfilePath - c:\users\twheeler.MCOLLINS\AppData\Roaming\Mozilla\Firefox\Profiles\3xlfu7by.default\

FF - ExtSQL: !HIDDEN! 2012-11-27 09:42; {a16643af-2f54-11e2-8271-b8ac6f996f26}; c:\users\twheeler.MCOLLINS\AppData\Roaming\Mozilla\Firefox\Profiles\3xlfu7by.default\extensions\{a16643af-2f54-11e2-8271-b8ac6f996f26}.xpi

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Intel\AMT\atchksrv.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\F-Secure\Anti-Virus\fsgk32st.exe

c:\program files\F-Secure\Device Control\fsdevcon32.exe

c:\program files\F-Secure\Anti-Virus\FSGK32.EXE

c:\program files\F-Secure\Common\FSMA32.EXE

c:\program files\Intel\AMT\LMS.exe

c:\program files\F-Secure\Common\FSHDLL32.EXE

c:\windows\system32\rundll32.exe

c:\program files\F-Secure\FWES\Program\fsdfwd.exe

c:\program files\F-Secure\Common\FNRB32.EXE

c:\program files\F-Secure\Common\FIH32.EXE

c:\program files\F-Secure\Anti-Virus\fssm32.exe

c:\windows\system32\WUDFHost.exe

c:\program files\F-Secure\Anti-Virus\fsav32.exe

c:\windows\system32\taskhost.exe

c:\program files\Motorola Scanner\Common\HidKeyboardEmulator.exe

c:\windows\system32\conhost.exe

c:\windows\System32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\sppsvc.exe

.

**************************************************************************

.

Completion time: 2012-11-27 10:32:22 - machine was rebooted

ComboFix-quarantined-files.txt 2012-11-27 15:32

.

Pre-Run: 86,121,668,608 bytes free

Post-Run: 85,774,462,976 bytes free

.

- - End Of File - - 4362D060D3AB98AD073F399AEA4AF6CA

Link to post
Share on other sites

  • Staff
I am unable to go anywhere on the internet now.

have you lost your connection or are you just unable to surf?

Make sure it's not a setting in fsecure that is causing the issue, disable the fsecure AV and FW and see if you are able to surf

NEXT

please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

NEXT

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

Link to post
Share on other sites

Sorry for the delayed response, I think the forums were down. My internet is working now after running the rootkit tool. Here are the logs below.

MBtyes mbar-log

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.03.01

Windows 7 Service Pack 1 x86 FAT32

Internet Explorer 9.0.8112.16421

twheeler :: 69KNGH1 [administrator]

11/27/2012 12:10:52 PM

mbar-log-2012-11-27 (12-10-52).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 26765

Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

MBytes system-log

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: FAT32

Disk drives: C:\ DRIVE_FIXED

CPU speed: 1.995000 GHz

Memory total: 3185168384, free: 2131046400

------------ Kernel report ------------

11/27/2012 12:03:05

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\System32\drivers\mqxij.sys

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\system32\drivers\pciide.sys

\SystemRoot\system32\drivers\PCIIDEX.SYS

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\atapi.sys

\SystemRoot\system32\drivers\ataport.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\Drivers\fsbts.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsvista.sys

\SystemRoot\System32\drivers\fsdfw.sys

\SystemRoot\System32\drivers\fses.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\e1e6032.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\udfs.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_atapi.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\SystemRoot\system32\DRIVERS\parvdm.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\drivers\tcpipreg.sys

\??\C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys

\SystemRoot\system32\DRIVERS\WUDFRd.sys

\SystemRoot\System32\drivers\rdpdr.sys

\SystemRoot\system32\drivers\tdtcp.sys

\SystemRoot\System32\DRIVERS\tssecsrv.sys

\SystemRoot\System32\Drivers\RDPWD.SYS

\SystemRoot\system32\drivers\spsys.sys

\SystemRoot\system32\DRIVERS\asyncmac.sys

\SystemRoot\System32\Drivers\fastfat.SYS

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\setupapi.dll

\Windows\System32\usp10.dll

\Windows\System32\ole32.dll

\Windows\System32\clbcatq.dll

\Windows\System32\comdlg32.dll

\Windows\System32\oleaut32.dll

\Windows\System32\iertutil.dll

\Windows\System32\advapi32.dll

\Windows\System32\psapi.dll

\Windows\System32\kernel32.dll

\Windows\System32\shell32.dll

\Windows\System32\urlmon.dll

\Windows\System32\difxapi.dll

\Windows\System32\nsi.dll

\Windows\System32\imm32.dll

\Windows\System32\msctf.dll

\Windows\System32\user32.dll

\Windows\System32\sechost.dll

\Windows\System32\gdi32.dll

\Windows\System32\Wldap32.dll

\Windows\System32\wininet.dll

\Windows\System32\ws2_32.dll

\Windows\System32\lpk.dll

\Windows\System32\shlwapi.dll

\Windows\System32\imagehlp.dll

\Windows\System32\normaliz.dll

\Windows\System32\msvcrt.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\wintrust.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\KernelBase.dll

\Windows\System32\comctl32.dll

\Windows\System32\crypt32.dll

\Windows\System32\devobj.dll

\Windows\System32\msasn1.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk5\DR5

Upper Device Object: 0xffffffff856a57c0

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000078\

Lower Device Object: 0xffffffff856aa728

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

DriverEntry returned 0x0

Function returned 0x0

<<<1>>>

Upper Device Name: \Device\Harddisk4\DR4

Upper Device Object: 0xffffffff86d6bac8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000006b\

Lower Device Object: 0xffffffff86d35ca8

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk3\DR3

Upper Device Object: 0xffffffff86d3c7b8

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\0000006a\

Lower Device Object: 0xffffffff86d35030

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk2\DR2

Upper Device Object: 0xffffffff86d3c030

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000069\

Lower Device Object: 0xffffffff86d37478

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk1\DR1

Upper Device Object: 0xffffffff86d38548

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000068\

Lower Device Object: 0xffffffff86ca8030

Lower Device Driver Name: \Driver\USBSTOR\

Driver name found: USBSTOR

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff86326030

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\

Lower Device Object: 0xffffffff85e6d030

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Host not found

Initializing...

Done!

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff86326030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86326d10, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86326030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff85e6d030, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xffffffffab608fb8, 0xffffffff86326030, 0xffffffff858334d0

Lower DeviceData: 0xffffffffab62da18, 0xffffffff85e6d030, 0xffffffff8584d478

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: A908A908

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 312496317

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 160000000000 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312480000-312500000)...

Physical Sector Size: 0

Drive: 1, DevicePointer: 0xffffffff86d38548, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86d38228, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86d38548, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86ca8030, DeviceName: \Device\00000068\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 2, DevicePointer: 0xffffffff86d3c030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86d3cd10, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86d3c030, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86d37478, DeviceName: \Device\00000069\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 3, DevicePointer: 0xffffffff86d3c7b8, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86d6b020, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86d3c7b8, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86d35030, DeviceName: \Device\0000006a\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 0

Drive: 4, DevicePointer: 0xffffffff86d6bac8, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff86d6b7a8, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff86d6bac8, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff86d35ca8, DeviceName: \Device\0000006b\, DriverName: \Driver\USBSTOR\

------------ End ----------

Physical Sector Size: 512

Drive: 5, DevicePointer: 0xffffffff856a57c0, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff868a14f0, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff856a57c0, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff856aa728, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\

------------ End ----------

Upper DeviceData: 0xffffffff910546f8, 0xffffffff856a57c0, 0xffffffff856bc048

Lower DeviceData: 0xffffffff9d96d940, 0xffffffff856aa728, 0xffffffff8588ac20

Drive 5

Scanning MBR on drive 5...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 4DD5721

Partition information:

Partition 0 type is Other (0xc)

Partition is NOT ACTIVE.

Partition starts at LBA: 2048 Numsec = 31717376

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 16240345088 bytes

Sector size: 512 bytes

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

JRT Log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 3.5.6 (11.27.2012:3)

OS: Windows 7 Professional x86

Ran by twheeler on Tue 11/27/2012 at 12:13:16.74

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] C:\Users\twheeler.MCOLLINS\AppData\Local\{5270069B-CC21-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul [Trojan:JS/Medfos.A]

Successfully deleted: [File] C:\Users\twheeler.MCOLLINS\appdata\local\Google\Chrome\Application\..\Extensions\chromeupdate.crx [Trojan:JS/Medfos.B]

~~~ Folders

Successfully deleted: [Folder] %cdJS/Medfos.A]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Tue 11/27/2012 at 12:15:47.79

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

  • Staff

how is the computer running now? Are there any outstanding issues?

you need to update your Adobe Reader and Java

Visit ADOBE and download the latest version of Acrobat Reader (version XI)

Having the latest updates ensures there are no security vulnerabilities in your system.

javaicon.jpgYour Java is out of date.

Java™ 7 Update 7can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.

An update should begin; > follow the prompts.

Link to post
Share on other sites

  • Staff

We just have some housekeeping to do now,

Please do the following:

You can delete the DDS, JRT, MBAR and all the Farbar logs and programs from your desktop.

NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg

NEXT

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]Download TFC to your desktop

    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

    [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an addon available for both Firefox and IE

    [*]Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

    [*]ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

    [*]In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

    PC Safety and Security--What Do I Need?.

    [*]Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Link to post
Share on other sites

  • 2 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.