Jump to content

Need to stop my computer from calling out to IP 195.226.218.205


Uriah

Recommended Posts

Hello Uriah,

If you're an MBAM customer, you have the option to contact the consumer help desk here.

If you are in an organization or a corporate customer, contact Corporate Support for assistance.

Kindly do -not- use the attach feature to place your reports. Always COPY all contents and Paste directly into main body of reply.

If you wish help from me, start with the following.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

To show all files:

  • Go to your Desktop
  • Double-Click the Computer icon.
  • From the menu options, Select Tools, then Folder Options.
  • Next click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders and drives.
  • Click Apply > OK.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download AdwCleaner © Xplode from >>here<< and save it on your Desktop.

If your are running Windows XP, double click adwcleaner.exe to start it.

Otherwise, Right-click on adwcleaner.exe and select Run As Administrator to launch the application.

Now click on the Search tab.

Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\AdwCleaner[XX].txt where XX Denotes the number of times the application has been ran, so in this should be something like R1.

Step 4

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
    If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 5

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller

Do NOT click any FIX buttons !

Step 6

RE-Enable your antivirus program. excl.png

Then copy/paste the following into your post (in order):

  • the contents of C:\AdwCleaner[R1].txt;
  • the contents of TDSSKILLER log;
  • the contents of RKReport log;

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Link to post
Share on other sites

Hi Maurice and thank you for your help. I ran Kaspersky TDSS Killer and it found nothing and then I ran AdwCleaner and the search result as far as I could tell didn't show anything but I proceeded with the delete process and as of right now Malwarebytes Pro has not shown a notification pop up that it has blocked my computer from calling out to that IP address.

Link to post
Share on other sites

I'd like to see all 3 of the above reports.

and

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Re-enable your antivirus program.

Link to post
Share on other sites

Maurice, I have gotten one notification that Malwarebytes blocked the call out to that IP address since my last post. I can't copy the report from tdsskiller but it showed that it scanned 1225 objects and found 0 threats. Yesterday I ran Sophos virus removal tool and it claimed adwCleaner was malware. Today I ran Comodo Cleaning Essentials along with the autoruns in it and it found nothing and autoruns said everything was safe. The follow reports.........

# AdwCleaner v2.104 - Logfile created 12/30/2012 at 19:47:55

# Updated 29/12/2012 by Xplode

# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

# User :

# Boot Mode : Normal

# Running from : C:\Users\\Desktop\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\ozz1k4lr.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [784 octets] - [30/12/2012 15:11:25]

AdwCleaner[R2].txt - [841 octets] - [30/12/2012 15:14:50]

AdwCleaner[R3].txt - [900 octets] - [30/12/2012 15:17:08]

AdwCleaner[R4].txt - [1018 octets] - [30/12/2012 19:45:17]

AdwCleaner[R5].txt - [1079 octets] - [30/12/2012 19:46:28]

AdwCleaner[s1].txt - [959 octets] - [30/12/2012 15:17:36]

AdwCleaner[s2].txt - [1011 octets] - [30/12/2012 19:47:55]

########## EOF - C:\AdwCleaner[s2].txt - [1071 octets] ##########

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2012.12.31.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

[administrator]

Protection: Enabled

12/31/2012 4:03:41 PM

mbam-log-2012-12-31 (16-03-41).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 289675

Time elapsed: 18 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Roquekiller found two items, but there was no option to delete them.

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : [Admin rights]

Mode : Scan -- Date : 12/31/2012 15:22:01

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-75A7B2 ATA Device +++++

--- User ---

[MBR] 7f8231df87a5c382b5ffd188d3cf627e

[bSP] 7567ed5fdfee1369e7103943ecdf6210 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 595439 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_12312012_02d1522.txt >>

RKreport[1]_S_12312012_02d1522.txt

Link to post
Share on other sites

You noted above you ran 2 scans on your own. I would remind you, and ask again, do NOT run other tools / scans/ fixes on your own.

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Uriah only. If you are a casual viewer, do NOT try this on your system!

If you are not Uriah and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log

Re-enable your antivirus program.

Link to post
Share on other sites

Maurice, did everything as you instructed this time and as of right now I haven't gotten any notification from MB it has blocked the call out to that IP address. Here's the Combofix report.

ComboFix 13-01-01.02 - AF 01/01/2013 13:33:18.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6133.4530 [GMT -5:00]

Running from: c:\users\AF\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\Install.exe

c:\users\AF\AppData\Roaming\Microsoft\Windows\Recent\Your Software Deals.url

.

.

((((((((((((((((((((((((( Files Created from 2012-12-01 to 2013-01-01 )))))))))))))))))))))))))))))))

.

.

2013-01-01 18:36 . 2013-01-01 18:36 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-12-31 05:47 . 2013-01-01 18:17 -------- d-----w- c:\programdata\Sophos

2012-12-29 06:32 . 2010-01-11 00:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL

2012-12-29 06:32 . 2010-01-11 00:40 1071088 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX

2012-12-29 06:32 . 2012-12-30 20:22 -------- d-----w- c:\program files (x86)\SpywareBlaster

2012-12-23 22:03 . 2012-12-23 22:03 466456 ----a-w- c:\windows\system32\wrap_oal.dll

2012-12-23 22:03 . 2012-12-23 22:03 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll

2012-12-23 22:03 . 2012-12-23 22:03 122904 ----a-w- c:\windows\system32\OpenAL32.dll

2012-12-23 22:03 . 2012-12-23 22:03 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll

2012-12-23 22:03 . 2012-12-23 22:03 -------- d-----w- c:\program files (x86)\OpenAL

2012-12-23 02:08 . 2009-07-14 01:41 101376 ----a-w- c:\windows\system32\Spool\prtprocs\x64\HPZPPWN7.DLL

2012-12-21 22:29 . 2012-12-21 22:29 -------- d-----w- c:\program files (x86)\RarmaRadio

2012-12-21 14:20 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 14:20 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-21 14:20 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 14:20 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-18 10:31 . 2012-12-17 20:59 -------- d-----w- c:\windows\Panther

2012-12-18 10:30 . 2012-12-18 10:30 -------- d-----w- c:\windows\system32\oem

2012-12-18 05:21 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2012-12-18 05:21 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll

2012-12-18 05:21 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll

2012-12-18 05:21 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll

2012-12-18 05:13 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-12-18 05:13 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys

2012-12-18 05:13 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll

2012-12-18 05:13 . 2012-08-24 18:04 307200 ----a-w- c:\windows\system32\ncrypt.dll

2012-12-18 05:13 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll

2012-12-18 05:13 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll

2012-12-18 05:13 . 2012-08-24 16:57 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2012-12-18 05:13 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll

2012-12-18 05:13 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll

2012-12-18 05:10 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll

2012-12-18 05:10 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll

2012-12-18 05:10 . 2012-08-21 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe

2012-12-18 05:09 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys

2012-12-18 05:09 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys

2012-12-18 04:15 . 2012-12-18 04:15 -------- d-----w- c:\programdata\QFX Software

2012-12-18 04:15 . 2012-12-18 04:15 -------- d-----w- c:\program files (x86)\KeyScrambler

2012-12-18 04:15 . 2011-12-15 00:46 222904 ----a-w- c:\windows\system32\drivers\keyscrambler.sys

2012-12-17 20:39 . 2012-12-17 20:39 -------- d-----w- c:\program files\Sandboxie

2012-12-17 20:36 . 2012-12-17 20:36 -------- d-----w- c:\program files (x86)\PrivaZer

2012-12-17 20:33 . 2012-12-17 20:33 -------- d-----w- c:\program files (x86)\ClipboardHistory

2012-12-17 19:52 . 2012-12-17 19:52 -------- d-----w- c:\program files (x86)\Microsoft.NET

2012-12-17 18:33 . 2012-12-17 18:33 -------- d-----w- c:\windows\system32\SPReview

2012-12-17 18:33 . 2012-12-17 18:33 -------- d-----w- c:\windows\system32\EventProviders

2012-12-17 18:27 . 2010-11-20 13:26 3391488 ----a-w- c:\windows\system32\dbgeng.dll

2012-12-17 18:26 . 2010-11-20 13:27 372736 ----a-w- c:\windows\system32\mtxclu.dll

2012-12-17 18:25 . 2010-11-20 13:27 68096 ----a-w- c:\windows\system32\vfwwdm32.dll

2012-12-17 18:24 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll

2012-12-17 17:51 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll

2012-12-17 17:51 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll

2012-12-17 17:51 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2012-12-17 17:33 . 2012-12-17 17:33 -------- d-----w- c:\program files (x86)\MSECache

2012-12-17 17:23 . 2012-12-17 17:23 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-17 17:23 . 2012-12-17 17:23 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-17 17:23 . 2012-12-17 17:23 -------- d-----w- c:\windows\SysWow64\Macromed

2012-12-17 17:23 . 2012-12-17 17:23 -------- d-----w- c:\windows\system32\Macromed

2012-12-17 17:23 . 2012-12-17 17:23 -------- d-----w- c:\program files (x86)\Microsoft Silverlight

2012-12-17 17:22 . 2012-12-17 17:22 -------- d-----w- c:\program files (x86)\SumatraPDF

2012-12-17 17:16 . 2012-12-17 18:36 -------- d-----w- c:\program files (x86)\Microsoft Works

2012-12-17 10:09 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-12-17 10:09 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-12-17 10:09 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2012-12-17 10:09 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-12-17 10:07 . 2012-11-28 20:58 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-17 09:55 . 2012-12-17 09:55 -------- d-----w- c:\windows\SysWow64\Wat

2012-12-17 09:55 . 2012-12-17 09:55 -------- d-----w- c:\windows\system32\Wat

2012-12-17 09:23 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-12-17 09:23 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-12-17 09:23 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-12-17 09:23 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-12-17 09:23 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-12-17 09:23 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2012-12-17 09:23 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2012-12-17 09:20 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-12-17 09:20 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll

2012-12-17 09:20 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll

2012-12-17 09:20 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll

2012-12-17 09:20 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll

2012-12-17 08:48 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe

2012-12-17 08:48 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe

2012-12-17 08:48 . 2011-02-25 06:19 2871808 ----a-w- c:\windows\explorer.exe

2012-12-17 08:48 . 2011-02-25 05:30 2616320 ----a-w- c:\windows\SysWow64\explorer.exe

2012-12-17 08:48 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-17 08:48 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-12-17 08:48 . 2010-12-23 10:42 961024 ----a-w- c:\windows\system32\CPFilters.dll

2012-12-17 08:48 . 2010-12-23 10:42 1118720 ----a-w- c:\windows\system32\sbe.dll

2012-12-17 08:48 . 2010-12-23 10:36 259072 ----a-w- c:\windows\system32\mpg2splt.ax

2012-12-17 08:48 . 2010-12-23 05:54 850944 ----a-w- c:\windows\SysWow64\sbe.dll

2012-12-17 08:48 . 2010-12-23 05:54 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll

2012-12-17 08:48 . 2010-12-23 05:50 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax

2012-12-17 08:45 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll

2012-12-17 08:45 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll

2012-12-17 08:45 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll

2012-12-17 08:45 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2012-12-17 08:45 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll

2012-12-17 08:45 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll

2012-12-17 08:44 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll

2012-12-17 08:44 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl

2012-12-17 08:44 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl

2012-12-17 08:44 . 2011-02-24 06:15 476160 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2012-12-17 08:44 . 2011-02-24 05:38 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll

2012-12-17 08:44 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2012-12-17 08:41 . 2012-12-17 08:41 -------- d-----w- c:\programdata\Malwarebytes

2012-12-17 08:41 . 2012-12-28 18:15 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-12-17 08:41 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-17 08:41 . 2012-08-30 18:03 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-12-17 08:41 . 2012-08-30 17:12 3968880 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-12-17 08:41 . 2012-08-30 17:12 3914096 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-12-17 08:39 . 2011-04-22 22:15 27520 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2012-12-17 08:38 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll

2012-12-17 08:37 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys

2012-12-17 08:37 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-12-17 08:37 . 2012-10-30 23:51 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-12-17 08:37 . 2012-10-30 23:51 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-12-17 08:37 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-12-17 08:37 . 2012-10-30 23:51 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-12-17 08:37 . 2012-10-15 16:59 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-12-17 08:37 . 2012-10-30 23:51 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-12-17 08:37 . 2012-10-30 23:51 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-12-17 08:37 . 2012-10-30 23:50 285328 ----a-w- c:\windows\system32\aswBoot.exe

2012-12-17 08:36 . 2013-01-01 18:26 -------- d-sh--w- c:\windows\Installer

2012-12-17 08:36 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr

2012-12-17 08:36 . 2012-10-30 23:50 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe

2012-12-17 08:36 . 2012-12-17 08:36 -------- d-----w- c:\programdata\AVAST Software

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-17 18:49 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll

2012-12-17 18:49 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll

2012-10-28 21:09 . 2012-10-28 21:09 38624 ----a-w- c:\windows\system32\drivers\tap0901.sys

2012-10-16 08:38 . 2012-12-17 08:34 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-12-17 08:34 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-12-17 08:34 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-10-04 16:40 . 2012-12-17 08:39 44032 ----a-w- c:\windows\apppatch\acwow64.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ClipboardHistory"="c:\program files (x86)\ClipboardHistory\ClipboardHistory.exe" [2012-08-05 512392]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-12-17 1255736]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2011-12-15 222904]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-01 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-17 17:23]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 23:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 165912]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: {{40354A83-504E-4611-ACAE-3D137F6F595E} - {40354A83-504E-4611-ACAE-3D137F6F595E} - c:\users\AF\AppData\Roaming\Dashlane\bin\Dashlanei.dll

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\AF\AppData\Roaming\Mozilla\Firefox\Profiles\ozz1k4lr.default\

FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS

FF - ExtSQL: 2012-11-29 11:15; {442718d9-475e-452a-b3e1-fb1ee16b8e9f}; c:\users\AF\AppData\Roaming\Dashlane\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}

FF - ExtSQL: 2012-12-17 03:06; firefox@ghostery.com; c:\users\AF\AppData\Roaming\Mozilla\Firefox\Profiles\ozz1k4lr.default\extensions\firefox@ghostery.com

FF - ExtSQL: 2012-12-17 03:08; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\AF\AppData\Roaming\Mozilla\Firefox\Profiles\ozz1k4lr.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

FF - ExtSQL: 2012-12-17 03:09; adblockpopups@jessehakanen.net; c:\users\AF\AppData\Roaming\Mozilla\Firefox\Profiles\ozz1k4lr.default\extensions\adblockpopups@jessehakanen.net.xpi

FF - ExtSQL: 2012-12-17 03:11; tiletabs@DW-dev; c:\users\AF\AppData\Roaming\Mozilla\Firefox\Profiles\ozz1k4lr.default\extensions\tiletabs@DW-dev.xpi

FF - ExtSQL: 2012-12-17 03:47; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF

FF - ExtSQL: 2012-12-17 23:15; keyscrambler@qfx.software.corporation; c:\users\AF\AppData\Roaming\Mozilla\Firefox\Profiles\ozz1k4lr.default\extensions\keyscrambler@qfx.software.corporation

FF - ExtSQL: 2012-12-19 13:23; {1018e4d6-728f-4b20-ad56-37578a4de76b}; c:\users\AF\AppData\Roaming\Mozilla\Firefox\Profiles\ozz1k4lr.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-66711353.sys

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-01 13:38:07

ComboFix-quarantined-files.txt 2013-01-01 18:38

.

Pre-Run: 584,443,187,200 bytes free

Post-Run: 584,084,561,920 bytes free

.

- - End Of File - - C4C901EEBF4A3814A62C83F5F26F5DB8

Link to post
Share on other sites

Proceed with the following. But in the meantime, please do not run any other tools on your own for the duration of this case, until I give the all clear.

Step 1

Download and Save McAfee Stinger to your Desktop

http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Close all browsers before starting. Disable your antivirus program and anti-malware,if any.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

On Windows 7 & Vista systems, Right Click stinger-icon.gif and select Run as Administrator.

On XP, double-click to start it.

The GUI interface will look like this

stinger2.png

The C drive is the default for scanning.

Press the Preferences button. In the top right-block "On virus detection", click Rename

In the bottom block "Heuristic network check for suspicious files" select High

Click the Scan Now button.

When done, use the File menu and select Save report to file

Stinger.txt is the log report and will be saved to your Desktop. I will need a copy of that log.

Stinger is a standalone utility used to detect and remove specific malware. It is not a full scan for all types of malware or viruses.

It is not intended as virus protection.

Step 2

Download Dr.Web CureIt to the desktop.

  • Turn OFF your antivirus program.
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program when all done.

Step 3

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click JRT.exe and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply. And tell me, How is the system now?
  • Re-enable your security software.

Link to post
Share on other sites

Maurice, the reports......

McAfee® Labs Stinger Version 10.2.0.936 built on Jan 1 2013

Copyright © 2012 McAfee, Inc. All Rights Reserved.

Virus data file v1000.0000 created on Jan 1 2013.

Ready to scan for 6091 viruses, trojans and variants.

Scan initiated on Tue Jan 01 22:45:04 2013

Rootkit scan result : Not Scanned

Master Boot Record(s):....1

Possibly Infected:.............0

Boot Sector(s):.................1

Possibly Infected: ............0

Number of clean files: 13996

____________________________________

With Dr Web CureIt, I couldn't find any option to save a report. However the scan results were as follows.

Express Scan--- 22034 objects scanned---0 Threats Found

Custom Scan---22086 objects scanned---0 Threats Found

________________________________________________________________________

In my attempt to copy and paste the JRT report it got dumped but it did say it deleted 7 or 8 items.

As of right now since I ran Combofix earlier I have not had Malwarebytes give a notification that it blocked a call out to that IP address and everything in the system seems to be working good. Thank You for all your help and time, Maurice.

Link to post
Share on other sites

Good going.

We can wrap this up now. I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used. Advise me after you have completed the cleanups.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it ComboFix icon_exclaim.gif),

put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Highlight the line in this CODEBOX.
    Select & Copy the entire line within this codebox (so that it is in Windows clipboard memory)
    c:\users\AF\Desktop\ComboFix.exe /uninstall


  • Start >> type in cmd >> press the Ctrl+Shift+Enter keyboard combination and cmd.exe will be launched as if you selected Run as Administrator. You will then see a User Account Control prompt asking if you would like to allow the Command Prompt to be able to make changes on your computer. Click on the Yes button and you will now be at the Elevated Command Prompt.
    Do a Right click within the command prompt window and select Paste. This must show the line from Codebox above.
    Then tap Enter

IF in the case Combofix un-install has an issue, skip that step.

NEXT

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

ERUNT you should keep and use periodically to backup Windows registry.

Delete the following if still present:

DrWeb Cure-It

adwcleaner.exe

TDSSKILLER.exe

JRT.exe

Stinger.exe

Safer practices & malware prevention

We are finished here. Best regards. cool.gif

Link to post
Share on other sites

Thank You, Maurice. The cmd method worked in removing combofix and I ran OTC for whatever else and deleted Dr. Web and Stinger.

I also reinstalled Secunia PSI after uninstalling it before I reinstalled Windows a week or so ago in attempt to get rid of any malware I had.

I'm skeptical about WOT because a lot of the ratings are based on someones biases or on people just giving a site a bad rating just to do it.

I've learned my lesson and will never download and install any torrents again. Thanks again for your help and time, Maurice.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.