Jump to content

Virus help


Easy29

Recommended Posts

Hi there, I recently got a call from my bank telling me they have locked my account because of malware attack. When I google an anti virus site, norton for example it redirects me to google. I have used malware bytes which now shows no infected files. - how can I be sure it's gone though?

Thanks, hope i posted this in the correct section.

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2

Run by Eric at 13:43:22 on 2012-12-06

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.2806.1365 [GMT 11:00]

.

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\nvvsvc.exe

C:\windows\system32\WLANExt.exe

C:\windows\system32\conhost.exe

C:\windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe

C:\windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe

C:\windows\system32\nvvsvc.exe

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe

C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe

C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVG Secure Search\vprot.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\system32\taskeng.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe

C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe

C:\windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\windows\system32\conhost.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com.au/

uSearch Bar = Preserve

uDefault_Page_URL = hxxp://toshiba.msn.com

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.5\AVG Secure Search_toolbar.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - c:\program files\toshiba\toshiba media controller plug-in\TOSHIBAMediaControllerIE.dll

TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\utorrentbar\prxtbuTor.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll

TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\13.2.0.5\AVG Secure Search_toolbar.dll

uRun: [Reimage] RUNDLL32.EXE c:\users\eric\appdata\local\reimage\bvgnlvoi.dll,vlc_entry__1_0_0e

mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE

mRun: [TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe

mRun: [smartAudio] c:\program files\conexant\saii\SAIICpl.exe /t

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [iTSecMng] c:\program files\toshiba\bluetooth toshiba stack\ItSecMng.exe /START

mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe

mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe /hide:60

mRun: [TosVolRegulator] c:\program files\toshiba\tosvolregulator\TosVolRegulator.exe

mRun: [TosNC] c:\program files\toshiba\bulletinboard\TosNcCore.exe

mRun: [TosReelTimeMonitor] c:\program files\toshiba\reeltime\TosReelTimeMonitor.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mRun: [ROC_roc_ssl_v12] "c:\program files\avg secure search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {97F922BD-8563-4184-87EE-8C4ACA438823} - {5D29E593-73A5-400A-B3BD-6B7A1AF05A31} - c:\program files\toshiba\bulletinboard\TosBBCom.dll

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 192.168.2.1

TCP: Interfaces\{028B5156-3E80-482F-BDB0-F8F10628A15A} : DHCPNameServer = 198.142.0.51 61.88.88.88

TCP: Interfaces\{3984DFF2-D05C-4E8F-80DE-96DFD89E47B6} : DHCPNameServer = 198.142.0.51 61.88.88.88

TCP: Interfaces\{B1A59E09-7A66-4BE9-BB5A-40B927B39C1D} : DHCPNameServer = 192.168.2.1

TCP: Interfaces\{B1A59E09-7A66-4BE9-BB5A-40B927B39C1D}\14E64627F696461405 : DHCPNameServer = 192.168.43.1

TCP: Interfaces\{B1A59E09-7A66-4BE9-BB5A-40B927B39C1D}\445616B696E6023556475707 : DHCPNameServer = 10.128.0.21 10.64.0.21 10.96.0.21

TCP: Interfaces\{B1A59E09-7A66-4BE9-BB5A-40B927B39C1D}\46F6E6E656C6C69737D6F64656D6 : DHCPNameServer = 10.0.0.1

TCP: Interfaces\{B1A59E09-7A66-4BE9-BB5A-40B927B39C1D}\542796362E08993702960586F6E656 : DHCPNameServer = 198.142.0.51 61.88.88.88

TCP: Interfaces\{B1A59E09-7A66-4BE9-BB5A-40B927B39C1D}\55355425D20534F5E4564777F627B6 : DHCPNameServer = 192.168.0.1

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\13.2.0\ViProtocol.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\eric\appdata\roaming\mozilla\firefox\profiles\08n68c7l.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3196716&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3196716&SearchSource=2&q=

FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\13.2.0\npsitesafety.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

FF - ExtSQL: 2012-10-31 23:23; avg@toolbar; c:\programdata\avg secure search\firefoxext\13.2.0.5

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-10-31 26984]

R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2010-1-29 185712]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-11 46448]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-12-5 399432]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-12-5 676936]

R2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2010-10-20 3791872]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-7-4 2656280]

R2 vToolbarUpdater13.2.0;vToolbarUpdater13.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\13.2.0\ToolbarUpdater.exe [2012-10-31 711112]

R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\drivers\btfilter.sys [2011-7-4 33640]

R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2011-7-4 7680]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2011-2-10 68720]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-5 22856]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-12-6 40776]

R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-7-4 41088]

R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2011-7-4 33616]

R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2011-7-4 54136]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2010-12-9 112032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-10-8 49664]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-9-12 1512448]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-8-2 18432]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-7-4 190464]

S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-21 52224]

S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 27264]

.

=============== Created Last 30 ================

.

2012-12-06 01:41:05 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-12-05 11:27:32 -------- d-----w- c:\users\eric\appdata\roaming\Yhhy

2012-12-05 11:27:32 -------- d-----w- c:\users\eric\appdata\roaming\Ufoh

2012-12-05 11:27:32 -------- d-----w- c:\users\eric\appdata\roaming\Ubud

2012-12-05 07:52:11 -------- d-----w- c:\users\eric\appdata\roaming\Malwarebytes

2012-12-05 07:52:06 -------- d-----w- c:\programdata\Malwarebytes

2012-12-05 07:52:05 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-05 07:52:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-12-05 07:22:17 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2012-12-05 06:26:56 -------- d-----w- c:\users\eric\appdata\roaming\Ywqea

2012-12-05 06:26:56 -------- d-----w- c:\users\eric\appdata\roaming\Yryq

2012-12-05 06:26:56 -------- d-----w- c:\users\eric\appdata\roaming\Cywiob

2012-12-05 01:47:45 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2012-12-05 01:47:28 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1

2012-12-05 01:47:28 -------- d-----w- c:\program files\iPod

2012-12-05 00:01:04 -------- d-----w- c:\users\eric\appdata\roaming\Weep

2012-12-05 00:01:04 -------- d-----w- c:\users\eric\appdata\roaming\Ukogsy

2012-12-05 00:01:04 -------- d-----w- c:\users\eric\appdata\roaming\Kegovy

2012-12-04 03:12:38 -------- d-----w- c:\users\eric\appdata\roaming\Yviv

2012-12-04 03:12:38 -------- d-----w- c:\users\eric\appdata\roaming\Umzow

2012-12-04 03:12:38 -------- d-----w- c:\users\eric\appdata\roaming\Pyxa

2012-12-02 13:38:14 -------- d-----w- c:\users\eric\appdata\roaming\Yxum

2012-12-02 13:38:14 -------- d-----w- c:\users\eric\appdata\roaming\Cuuz

2012-12-02 13:38:14 -------- d-----w- c:\users\eric\appdata\roaming\Atfu

2012-12-02 00:04:16 -------- d-----w- c:\users\eric\appdata\roaming\Zucyyb

2012-12-02 00:04:16 -------- d-----w- c:\users\eric\appdata\roaming\Uqdion

2012-12-02 00:04:16 -------- d-----w- c:\users\eric\appdata\roaming\Qyuz

2012-12-01 10:46:00 -------- d-----w- c:\users\eric\appdata\roaming\Paik

2012-12-01 10:46:00 -------- d-----w- c:\users\eric\appdata\roaming\Olyh

2012-12-01 10:46:00 -------- d-----w- c:\users\eric\appdata\roaming\Etvaic

2012-11-30 16:18:15 -------- d-----w- c:\users\eric\appdata\roaming\Owxu

2012-11-30 16:18:15 -------- d-----w- c:\users\eric\appdata\roaming\Okti

2012-11-30 16:18:15 -------- d-----w- c:\users\eric\appdata\roaming\Cyory

2012-11-30 09:00:37 -------- d-----w- c:\users\eric\appdata\roaming\Myqi

2012-11-30 09:00:37 -------- d-----w- c:\users\eric\appdata\roaming\Foeqwi

2012-11-30 09:00:37 -------- d-----w- c:\users\eric\appdata\roaming\Bidyr

2012-11-30 01:00:18 -------- d-----w- c:\users\eric\appdata\roaming\Teeku

2012-11-30 01:00:18 -------- d-----w- c:\users\eric\appdata\roaming\Noal

2012-11-30 01:00:18 -------- d-----w- c:\users\eric\appdata\roaming\Gidus

2012-11-29 09:07:48 -------- d-----w- c:\users\eric\appdata\roaming\Rovopu

2012-11-29 09:07:48 -------- d-----w- c:\users\eric\appdata\roaming\Oqad

2012-11-29 09:07:48 -------- d-----w- c:\users\eric\appdata\roaming\Giumti

2012-11-27 23:08:02 -------- d-----w- c:\users\eric\appdata\roaming\Waegf

2012-11-27 23:08:02 -------- d-----w- c:\users\eric\appdata\roaming\Otwoe

2012-11-27 23:08:02 -------- d-----w- c:\users\eric\appdata\roaming\Adegvu

2012-11-27 12:15:02 -------- d-----w- c:\users\eric\appdata\roaming\Uffi

2012-11-27 12:15:02 -------- d-----w- c:\users\eric\appdata\roaming\Diyr

2012-11-27 12:15:02 -------- d-----w- c:\users\eric\appdata\roaming\Afsuv

2012-11-27 01:33:00 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-11-27 01:11:08 -------- d-----w- c:\users\eric\appdata\roaming\Uqiri

2012-11-27 01:11:08 -------- d-----w- c:\users\eric\appdata\roaming\Upziyb

2012-11-27 01:11:08 -------- d-----w- c:\users\eric\appdata\roaming\Acriga

2012-11-21 14:05:36 -------- d-----w- c:\users\eric\appdata\local\Reimage

2012-11-10 03:36:35 -------- d-----w- c:\users\eric\appdata\roaming\WindSolutions

2012-11-10 03:36:35 -------- d-----w- c:\programdata\WindSolutions

.

==================== Find3M ====================

.

2012-10-31 12:23:19 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys

2012-10-11 05:10:13 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-10-11 05:10:13 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-27 23:32:56 5989776 ----a-w- c:\windows\system32\usbaaplrc.dll

2012-09-27 23:32:56 44544 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2012-09-13 07:50:28 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-13 07:50:27 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-09-13 07:50:27 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-12 05:07:44 58368 ----a-w- c:\windows\system32\sirenacm.dll

2012-09-12 04:58:44 49664 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2012-09-12 04:57:44 322048 ----a-w- c:\windows\WLXPGSS.SCR

.

============= FINISH: 13:44:25.42 ===============

Link to post
Share on other sites

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 12/10/2011 7:20:33 PM

System Uptime: 6/12/2012 12:33:33 PM (1 hours ago)

.

Motherboard: TOSHIBA | | Portable PC

Processor: Intel® Core i5-2410M CPU @ 2.30GHz | CPU | 782/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 585 GiB total, 417.584 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP112: 22/10/2012 3:36:06 PM - Scheduled Checkpoint

RP113: 31/10/2012 11:10:08 PM - Scheduled Checkpoint

RP114: 31/10/2012 11:17:39 PM - Removed WinZip 16.5

RP115: 31/10/2012 11:22:09 PM - Installed WinZip 17.0

RP116: 8/11/2012 5:34:25 PM - Scheduled Checkpoint

RP118: 18/11/2012 10:06:05 PM - Windows Defender Checkpoint

RP119: 22/11/2012 1:11:17 PM - Installed VirtualDJ PRO Full

.

==== Installed Programs ======================

.

4Videosoft MKV Video Converter

Adobe AIR

Adobe Community Help

Adobe Flash Player 11 Plugin

Adobe Media Player

Adobe Photoshop CS5

Adobe Reader 9.3.4

Adobe Shockwave Player 11.6

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ASIO4ALL

Atheros Bluetooth Filter Driver Package

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

Atheros Driver Installation Program

µTorrent

AVG Security Toolbar

Bejeweled 2 Deluxe

Bluetooth Stack for Windows by Toshiba

Bonjour

Build-a-lot 2

Chuzzle Deluxe

Conexant HD Audio

CopyTrans Suite Remove Only

D3DX10

Dorgem 2.1.0

Dream Video Converter Ultimate 4.3.8

FATE

ffdshow v1.1.3562 [2010-09-07]

FL Studio 10

FLV Player

Google Chrome

Google Earth Plug-in

Google Update Helper

IL Download Manager

Intel® Management Engine Components

Intel® Rapid Storage Technology

iTunes

Java 7 Update 7

Java Auto Updater

Java 6 Update 31

Jewel Quest - Heritage

Junk Mail filter update

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Office Excel MUI (English) 2007

Microsoft Office Outlook Connector

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Standard 2007

Microsoft Office Word MUI (English) 2007

Microsoft Primary Interoperability Assemblies 2005

Microsoft Silverlight

Microsoft SkyDrive

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft_VC80_ATL_x86

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_CRT_x86

Microsoft_VC90_MFC_x86

Movie Maker

Mozilla Firefox 16.0.2 (x86 en-GB)

Mozilla Maintenance Service

MSVCRT

MSVCRT110

Native Instruments Audio 8 DJ

Native Instruments Controller Editor

Native Instruments Service Center

Native Instruments Traktor

NVIDIA Control Panel 267.44

NVIDIA Graphics Driver 267.44

NVIDIA HD Audio Driver 1.2.18.0

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.10.0514

PDF Settings CS5

Photo Common

Photo Gallery

Plants vs. Zombies

PlayReady PC Runtime x86

Polar Bowler

Realtek USB 2.0 Card Reader

RollerCoaster Tycoon 3 Platinum

Skype™ 5.5

StarCraft

Starcraft Brood War (RAZOR 1911)

swMSM

Synaptics Pointing Device Driver

TOSHIBA Assist

TOSHIBA Bulletin Board

TOSHIBA ConfigFree

TOSHIBA Disc Creator

TOSHIBA Face Recognition

TOSHIBA Hardware Setup

TOSHIBA HDD/SSD Alert

TOSHIBA Media Controller

TOSHIBA Media Controller Plug-in

TOSHIBA Recovery Media Creator

TOSHIBA ReelTime

TOSHIBA Resolution+ Plug-in for Windows Media Player

TOSHIBA Service Station

TOSHIBA Speech System Applications

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

TOSHIBA Supervisor Password

TOSHIBA Value Added Package

TOSHIBA Web Camera Application

TOSHIBA Wireless LAN Indicator

uTorrentBar Toolbar

VC80CRTRedist - 8.0.50727.6195

Virtual Villagers 4 - The Tree of Life

VirtualDJ PRO Full

VLC media player 1.1.11

Wheel of Fortune 2

WildTangent Games

WildTangent ORB Game Console

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Photo Common

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinZip 17.0

Zuma's Revenge

.

==== Event Viewer Messages From Past Week ========

.

6/12/2012 12:34:13 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

6/12/2012 12:34:13 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891

6/12/2012 12:33:50 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

6/12/2012 12:33:48 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

6/12/2012 12:33:48 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

6/12/2012 11:17:10 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

6/12/2012 11:17:09 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

6/12/2012 11:17:09 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

6/12/2012 11:17:09 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

6/12/2012 11:17:09 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

6/12/2012 11:17:08 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/12/2012 11:17:02 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

6/12/2012 11:16:54 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

6/12/2012 11:16:48 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

5/12/2012 12:47:04 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.

5/12/2012 12:46:04 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

5/12/2012 12:45:48 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

.

==== End Of File ===========================

Link to post
Share on other sites

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against the forums policy concerning P2P programs:

http://forums.malwar...showtopic=97700

~~~~~~~~~~~~~~~~~~~~~~~~~~

You're badly infected!!!

Here you go......

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

~~~~~~~~~~~~~~~~~~~

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][NOTFOUND] HKCU\[...]\Run : Reimage (RUNDLL32.EXE C:\Users\Eric\AppData\Local\Reimage\bvgnlvoi.dll,vlc_entry__1_0_0e) -> FOUND

[RUN][NOTFOUND] HKUS\S-1-5-21-3390684805-3501667938-2072976212-1001[...]\Run : Reimage (RUNDLL32.EXE C:\Users\Eric\AppData\Local\Reimage\bvgnlvoi.dll,vlc_entry__1_0_0e) -> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~

Next....

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$850f12792d6326bdffc74436330d287d\@ --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3390684805-3501667938-2072976212-1001\$850f12792d6326bdffc74436330d287d\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$850f12792d6326bdffc74436330d287d\U --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3390684805-3501667938-2072976212-1001\$850f12792d6326bdffc74436330d287d\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$850f12792d6326bdffc74436330d287d\L --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3390684805-3501667938-2072976212-1001\$850f12792d6326bdffc74436330d287d\L --> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~

Next.............

Please create a new system restore point before running Malwarebytes Anti-Rootkit.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC (be back in the am)

Link to post
Share on other sites

Next..............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

Folder::

c:\users\Eric\AppData\Roaming\Ufoh

c:\users\Eric\AppData\Roaming\Ywqea

c:\users\Eric\AppData\Roaming\Kegovy

c:\users\Eric\AppData\Roaming\Pyxa

c:\users\Eric\AppData\Roaming\Cuuz

c:\users\Eric\AppData\Roaming\Yxum

c:\users\Eric\AppData\Roaming\Qyuz

c:\users\Eric\AppData\Roaming\Zucyyb

c:\users\Eric\AppData\Roaming\Olyh

c:\users\Eric\AppData\Roaming\Paik

c:\users\Eric\AppData\Roaming\Okti

c:\users\Eric\AppData\Roaming\Cyory

c:\users\Eric\AppData\Roaming\Myqi

c:\users\Eric\AppData\Roaming\Bidyr

c:\users\Eric\AppData\Roaming\Teeku

c:\users\Eric\AppData\Roaming\Noal

c:\users\Eric\AppData\Roaming\Giumti

c:\users\Eric\AppData\Roaming\Oqad

c:\users\Eric\AppData\Roaming\Adegvu

c:\users\Eric\AppData\Roaming\Otwoe

c:\users\Eric\AppData\Roaming\Diyr

c:\users\Eric\AppData\Roaming\Afsuv

c:\users\Eric\AppData\Roaming\Uqiri

c:\users\Eric\AppData\Roaming\Acriga

c:\users\Eric\AppData\Roaming\Upziyb

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.