Jump to content

I've got a tough one...


Recommended Posts

I've had what I think is a nasty little bug get into my computer. It started with google search redirect, now google has stopped working alltogether. If I try to go to google, the browser sits there for a long time trying to connect and then cannot display the page. The same thing happens with bing.com. Other things are going wrong, including not being able to display any of the "reCaptcha" phrase boxes that you use to sign into forums and stuff.

Also, on every startup, I get two error boxes that pop up. The first: "There was a problem starting C:\\Users\2011\AppData\Local\Temp\Wedes.dll

The specified module could not be found."

The Second: "There was a problem starting C:\\Users\2011\AppData\Local\Temp\usast.dll

The specified module could not be found."

I ran the malwarebytes program (I've been using it for a while), and nothing came back. I then followed the instructions here: http://forums.malwar...howtopic=81385. The mbam and dds log files are posted below, the other files are attached as requested.

Thanks in advance for the help.

mbam file:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.08.02

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

2011 :: WINDOWS-KVIHLAV [administrator]

1/7/2013 10:49:48 PM

mbam-log-2013-01-07 (22-49-48).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 423836

Time elapsed: 1 hour(s), 15 minute(s), 14 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

ddsfile:

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 1.6.0_33

Run by 2011 at 0:45:01 on 2013-01-08

Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2046.765 [GMT -6:00]

.

AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Norton AntiVirus\Engine\19.9.0.9\ccSvcHst.exe

C:\Program Files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe

C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe

C:\Program Files\VERIZONDM\bin\sprtsvc.exe

C:\Program Files\VERIZONDM\bin\tgsrvc.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Norton AntiVirus\Engine\19.9.0.9\ccSvcHst.exe

C:\Program Files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\VERIZONDM\bin\sprtcmd.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\SpotifyRemotelessHelper\SpotifyRemotelessHelper.exe

C:\Users\2011\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\notepad.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k imgsvc

.

attach.zip

Link to post
Share on other sites

  • Staff

Please run the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Link to post
Share on other sites

I ran it according to the instructions, no malware was found. Here are the log files:

Malwarebytes Anti-Rootkit 1.01.0.1011

www.malwarebytes.org

Database version: v2013.01.08.10

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

2011 :: WINDOWS-KVIHLAV [administrator]

1/8/2013 11:39:21 AM

mbar-log-2013-01-08 (11-39-21).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 28827

Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_33

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED

CPU speed: 2.605000 GHz

Memory total: 2145837056, free: 1256112128

------------ Kernel report ------------

01/08/2013 11:30:32

------------ Loaded modules -----------

\SystemRoot\system32\ntkrnlpa.exe

\SystemRoot\system32\halmacpi.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_AuthenticAMD.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\BOOTVID.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\drivers\ACPI.sys

\SystemRoot\system32\drivers\WMILIB.SYS

\SystemRoot\system32\drivers\msisadrv.sys

\SystemRoot\system32\drivers\pci.sys

\SystemRoot\system32\drivers\vdrvroot.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\drivers\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\drivers\nvstor.sys

\SystemRoot\system32\drivers\storport.sys

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\NAV\1309000.009\SYMDS.SYS

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\system32\drivers\NAV\1309000.009\SYMEFA.SYS

\SystemRoot\System32\Drivers\PxHelp20.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\drivers\vmstorfl.sys

\SystemRoot\system32\drivers\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\drivers\disk.sys

\SystemRoot\system32\drivers\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\system32\drivers\NAV\1309000.009\ccSetx86.sys

\SystemRoot\system32\drivers\NAV\1309000.009\Ironx86.SYS

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\vwififlt.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\serial.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\System32\Drivers\NAV\1309000.009\SYMNETS.SYS

\??\C:\Windows\system32\Drivers\SYMEVENT.SYS

\SystemRoot\system32\drivers\NAV\1309000.009\SRTSPX.SYS

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20130105.001\IDSvix86.sys

\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20121130.005\BHDrvx86.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\amdk8.sys

\SystemRoot\system32\DRIVERS\b57nd60x.sys

\SystemRoot\system32\DRIVERS\atikmdag.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbohci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\serenum.sys

\SystemRoot\system32\DRIVERS\parport.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\System32\Drivers\GKUPRO2D.sys

\SystemRoot\System32\Drivers\SMCLIB.SYS

\SystemRoot\System32\DRIVERS\scfilter.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_diskdump.sys

\SystemRoot\System32\Drivers\dump_nvstor.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\system32\DRIVERS\USBSTOR.SYS

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\DRIVERS\parvdm.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\??\C:\Windows\system32\drivers\mbam.sys

\SystemRoot\System32\Drivers\NAV\1309000.009\SRTSP.SYS

\SystemRoot\system32\DRIVERS\asyncmac.sys

\??\C:\Users\2011\AppData\Local\Temp\mbr.sys

\??\C:\Users\2011\AppData\Local\Temp\afpiypoc.sys

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20130107.023\NAVEX15.SYS

\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\VirusDefs\20130107.023\NAVENG.SYS

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xffffffff85a7ba20

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\00000063\

Lower Device Object: 0xffffffff853bec68

Lower Device Driver Name: \Driver\nvstor\

Driver name found: nvstor

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2013.01.08.10

Downloaded database version: v2013.01.04.01

Initializing...

Done!

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xffffffff85a7ba20, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xffffffff85a7b658, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xffffffff85a7ba20, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xffffffff84a52700, DeviceName: Unknown, DriverName: \Driver\ACPI\

DevicePointer: 0xffffffff853bec68, DeviceName: \Device\00000063\, DriverName: \Driver\nvstor\

------------ End ----------

Upper DeviceData: 0xffffffffcb90a068, 0xffffffff85a7ba20, 0xffffffff8f904990

Lower DeviceData: 0xffffffffa5311bc0, 0xffffffff853bec68, 0xffffffff84cc42b0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Scanning directory: C:\Windows\system32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: B20D2E58

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 2048 Numsec = 488277154

Partition file system is NTFS

Partition is bootable

Partition 1 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 250000000000 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-488261250-488281250)...

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

Link to post
Share on other sites

  • Staff

Please run the following

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

CatByte,

That seems to have fixed my problem, I can now access www.google.com, and reCaptcha boxes are now showing up. Thank you so much! We would certainly be lost without the good people out there working harder to stop the bad ones than the bad people are working to screw things up.

Here's the log file that combofix created. Is there anything else I need to do to finish the cleanup?

ComboFix 13-01-08.01 - 2011 01/08/2013 23:39:58.1.2 - x86

Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2046.1159 [GMT -6:00]

Running from: c:\users\2011\Desktop\ComboFix.exe

AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\isRS-000.tmp

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-12-09 to 2013-01-09 )))))))))))))))))))))))))))))))

.

.

2013-01-09 05:46 . 2013-01-09 05:47 -------- d-----w- c:\users\2011\AppData\Local\temp

2013-01-09 05:46 . 2013-01-09 05:46 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-08 04:43 . 2013-01-08 04:43 -------- d-----w- c:\users\2011\AppData\Local\Programs

2012-12-22 09:01 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll

2012-12-22 09:01 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-12 07:14 . 2012-11-22 02:56 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-12-12 07:13 . 2012-10-04 16:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2012-12-12 07:13 . 2012-11-02 05:11 376832 ----a-w- c:\windows\system32\dpnet.dll

2012-12-12 07:13 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-14 22:49 . 2012-06-07 12:36 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-07 03:37 . 2012-04-12 12:21 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-11-07 03:37 . 2011-05-23 01:18 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-10-16 07:39 . 2012-11-28 13:54 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

2012-12-05 06:27 . 2012-12-05 06:27 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Spotify"="c:\users\2011\AppData\Roaming\Spotify\Spotify.exe" [2012-05-20 9478320]

"RemotelessHelper"="c:\program files\SpotifyRemotelessHelper\SpotifyRemotelessHelper.exe" [2011-12-12 2280448]

"Spotify Web Helper"="c:\users\2011\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-20 932528]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Z1"="c:\users\2011\Desktop\mbar-1.01.0.1011\mbar\mbar.exe" [2013-01-08 1342312]

.

c:\users\2011\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]

R3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\DRIVERS\AE2500w7.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [x]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1309000.009\SYMDS.SYS [x]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1309000.009\SYMEFA.SYS [x]

S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20130107.001\BHDrvx86.sys [x]

S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1309000.009\ccSetx86.sys [x]

S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20130108.002\IDSvix86.sys [x]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1309000.009\Ironx86.SYS [x]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAV\1309000.009\SYMNETS.SYS [x]

S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.9.0.9\ccSvcHst.exe [x]

S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup 3.0\SymcPCCULaunchSvc.exe [x]

S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe [x]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [x]

S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [x]

S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

S3 GKUPRO2D;GKUPRO2D;c:\windows\system32\Drivers\GKUPRO2D.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - AFPIYPOC

*Deregistered* - afpiypoc

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-31 16:55]

.

2013-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-31 16:55]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.1 4.2.2.2

FF - ProfilePath - c:\users\2011\AppData\Roaming\Mozilla\Firefox\Profiles\1z5fxem1.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: network.proxy.type - 0

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.9.0.9\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.9.0.9\diMaster.dll\" /prefetch:1"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]

"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.12.27\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.12.27\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-08 23:48:58

ComboFix-quarantined-files.txt 2013-01-09 05:48

.

Pre-Run: 178,815,897,600 bytes free

Post-Run: 179,647,672,320 bytes free

.

- - End Of File - - A1452C96FC81825F1B790539B4DD9849

Link to post
Share on other sites

  • Staff

there are a few more scans that I would like to run just to make certain there are no leftovers, please run the following:

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

Ran them last night, here's the results:

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.4.2 (01.08.2013:1)

OS: Windows 7 Enterprise x86

Ran by 2011 on Wed 01/09/2013 at 18:35:20.27

Blog: http://thisisudax.blogspot.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Users\2011\AppData\Roaming\pccustubinstaller"

Successfully deleted: [Folder] "C:\Users\2011\appdata\locallow\boost_interprocess"

Successfully deleted: [Folder] "C:\ProgramData\ask"

~~~ FireFox

Successfully deleted: [File] C:\Users\2011\AppData\Roaming\mozilla\firefox\profiles\1z5fxem1.default\searchplugins\askcom.xml

Successfully deleted the following from C:\Users\2011\AppData\Roaming\mozilla\firefox\profiles\1z5fxem1.default\prefs.js

user_pref("browser.search.order.1", "Ask.com");

Emptied folder: C:\Users\2011\AppData\Roaming\mozilla\firefox\profiles\1z5fxem1.default\minidumps [21 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Wed 01/09/2013 at 18:38:42.29

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AdwCleaner:

# AdwCleaner v2.105 - Logfile created 01/09/2013 at 18:51:11

# Updated 08/01/2013 by Xplode

# Operating system : Windows 7 Enterprise Service Pack 1 (32 bits)

# User : 2011 - WINDOWS-KVIHLAV

# Boot Mode : Normal

# Running from : C:\Users\2011\Desktop\AdwCleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\2011\AppData\Roaming\Mozilla\Firefox\Profiles\1z5fxem1.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [757 octets] - [09/01/2013 18:51:11]

########## EOF - C:\AdwCleaner[s1].txt - [816 octets] ##########

MBAM:

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

Database version: v2013.01.09.10

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

2011 :: WINDOWS-KVIHLAV [administrator]

1/9/2013 7:00:15 PM

mbam-log-2013-01-09 (19-00-15).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 227801

Time elapsed: 3 minute(s), 42 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

ESET:

C:\TDSSKiller_Quarantine\09.07.2012_20.26.15\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.KS trojan

Link to post
Share on other sites

  • Staff

looking better

javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

  • Go to this site and click on "Do I have Java"
  • It will check your current version and then offer to update to the latest version
  • Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if there are - remove them.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.