URL:Mal Infection. Tried all, need help w/ComboFix

[AnaB29]

Hello,

 

I have a Win/7 system that is infected with URL:Mal malware.  I've thrown everything that I can at it and it still persists. 

Sofar I've:

run Avast, Malwarebytes (both free versions) SuperAntiVirus, RKill, RougeKiller, FixNCR.reg, TDSSKILLER, Stinger. I used Highjackthis to kill the process for GorillaPrice\gopr.exe, stopped and disabled the service WatGorp for same...it's still here.

 

Then I stumbled across a thread closely related in this forum: http://forums.malwarebytes.org/index.php?showtopic=129076%C2'>

 

I read all the scary info regarding the use of ComboFix by non professional malware removers, so I'm looking for a 'supervisor' to walk me through using it to rid my system of this menace.  It worked for the author of the post.

 

Is there anyone in this forum who is able to help?  If not can you tell me where I can find some one to help with this issue?

 

Thanks so much,

Ana

 

PS: I have the dds files that I can attach if needed.

[Maniac]

Hello Ana and ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Why are you running all of these tools such as RogueKiller? If you do not understand anything from them do not use fix button, because you could seriously heart your system. Why do you want to use ComboFix? I don't understand.

Just post your DDS log files.

[AnaB29]

Thank You Borislav for your offer of help.

 

I've run all of these tools (though not all at the same time before) for other virus/malware issues and they worked to rid my system of the problem at the time.

 

I want to run ComboFix now, because this seems to be the only solution to rid my system of this particularly tenacious piece of malware.  I'm asking for help because of all the warnings about non professional use of ComboFix. I've pasted the DDS file in this reply, but if is better to attach it  please let me know and I will do it that way in the future.

 

Here is the DDS log file:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16660
Run by AngelaReyes at 9:17:06 on 2013-08-23
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8190.5860 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\RDDService.exe
C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
C:\Program Files (x86)\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe
C:\Program Files\Tablet\Wacom\WacomHost.exe
C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\AngelaReyes\AppData\Roaming\GorillaPrice\gopr.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\ArcSoft\MediaConverter 3\Monitor.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Evoluent\VMouse\V4\EvoMouseExec.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Users\AngelaReyes\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPcbt64.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\vssvc.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\splwow64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

uURLSearchHooks: DeviceVM Url Search Hook: {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\Windows\SysWOW64\dvmurl.dll
mWinlogon: Userinit = userinit.exe,
BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - LocalServer32 - <no file>
BHO: IEPlugin Class: {11222041-111B-46E3-BD29-EFB2449479B1} - C:\Program Files (x86)\ArcSoft\Video Downloader\ArcURLRecord.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: ToolbarBHO Class: {9519AF7E-638D-4933-BAD6-D33D23C79FE5} - C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\EXIFToolBar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - LocalServer32 - <no file>
TB: RAW Thumbnail Viewer: {F301665A-12F8-4331-804A-5BCBD379668C} - C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\EXIFToolBar.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [AdobeBridge] <no file>
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
mRun: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [GorillaPrice] "C:\Users\AngelaReyes\AppData\Roaming\GorillaPrice\gopr.exe"
StartupFolder: C:\Users\ANGELA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\AngelaReyes\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DEVICE~1.LNK - C:\Program Files (x86)\ArcSoft\MediaConverter 3\Monitor.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\EVOLUE~1.LNK - C:\Windows\Installer\{0F8F4447-1F0B-4703-9BD5-53F0274CE856}\_B5CB566BBFE908A7621D0F.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PGPTRA~1.LNK - C:\Windows\Installer\{2421B2BB-C09A-4594-842D-CA3ED17E946A}\Icon6560581611.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Read EXIF - C:\Program Files (x86)\ArcSoft\RAW Thumbnail Viewer\ArcEXIFM.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: C:\Windows\System32\PGPlsp.dll
TCP: NameServer = 162.207.168.38
TCP: Interfaces\{2681DCEE-0A9C-4857-967D-E6ABA487D013} : DHCPNameServer = 162.207.168.38
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files (x86)\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= pgpmapih.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages =  scecli PGPpwflt
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon
x64-Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - <orphaned>
x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\AngelaReyes\AppData\Roaming\Mozilla\Firefox\Profiles\cqidhyz6.default\
FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101772.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll
FF - plugin: C:\Program Files (x86)\thinkTDA\npthinkorswim.dll
FF - plugin: C:\Program Files (x86)\thinkTDA\nptossc.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll
FF - plugin: C:\Users\AngelaReyes\AppData\Local\Citrix\Plugins\104\npappdetector.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-3-21 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-3-21 189936]
R0 MxEFUF;Matrox Extio Upper Function Filter;C:\Windows\System32\drivers\MxEFUF64.sys [2012-6-16 157696]
R0 pgpfs;PGP File Sharing;C:\Windows\System32\drivers\PGPfsfd.sys [2011-11-22 175880]
R0 Pgpwdefs;Pgpwdefs;C:\Windows\System32\drivers\PGPwdefs.sys [2011-11-22 15752]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-12-27 1030952]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-12-27 378944]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-12-27 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-12-27 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-7-19 46808]
R2 GEST Service;GEST Service for program management.;C:\Program Files (x86)\GIGABYTE\EnergySaver\GSvr.exe [2011-12-27 68136]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-8-21 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-8-21 701512]
R2 Motorola Device Manager;Motorola Device Manager Service;C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [2012-10-23 120728]
R2 PGP RDD Service;PGP RDD Service;C:\Program Files (x86)\PGP Corporation\PGP Desktop\RDDService.exe [2011-11-22 1588456]
R2 PST Service;PST Service;C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [2013-1-15 65657]
R2 Sentinel64;Sentinel64;C:\Windows\System32\drivers\sentinel64.sys [2012-4-5 145448]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 WTabletServicePro;Wacom Professional Service;C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [2012-11-7 613688]
R3 EvoMouseDriverFilterHidUsb;Evoluent Mouse Driver Filter;C:\Windows\System32\drivers\EvoMouseDriverFilterHidUsb.sys [2010-6-23 25144]
R3 EvoMouseDriverMini;EvoMouseDriverMini;C:\Windows\System32\drivers\EvoMouseDriverMini.sys [2010-6-23 22584]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-8-21 25928]
R3 oxmf;OXPCI Bus enumerator;C:\Windows\System32\drivers\oxmf.sys [2007-6-26 31744]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;C:\Windows\System32\drivers\oxmfuf.sys [2007-6-26 8704]
R3 oxser;OX16C95x Serial port driver;C:\Windows\System32\drivers\oxser.sys [2007-6-26 109568]
R3 PGR1394b;PGR IEEE 1394 Bus host controllers;C:\Windows\System32\drivers\PGR1394.sys [2012-6-9 88064]
R3 RTLE8023x64;Realtek 10/100/1000 PCI-E NIC Family NDIS XP(x64) Driver;C:\Windows\System32\drivers\Rtenic64.sys [2012-6-19 438376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 BTCFilterService;USB Networking Driver Filter Service;C:\Windows\System32\drivers\motfilt.sys [2009-1-29 6144]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-12-28 1038088]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-12-5 57856]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-9-12 1512448]
S3 hidkmdf;KMDF Driver;C:\Windows\System32\drivers\hidkmdf.sys [2012-11-7 14320]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\System32\drivers\motccgp.sys [2012-6-11 22016]
S3 motccgpfl;MotCcgpFlService;C:\Windows\System32\drivers\motccgpfl.sys [2012-1-25 9728]
S3 Motousbnet;Motorola USB Networking Driver Service;C:\Windows\System32\drivers\Motousbnet.sys [2012-6-8 27136]
S3 motusbdevice;Motorola USB Dev Driver;C:\Windows\System32\drivers\motusbdevice.sys [2011-11-8 11776]
S3 oxmep;OXPCI support driver;C:\Windows\System32\drivers\oxmep.sys [2007-6-26 7168]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 SNTUSB64;SafeNet USB SuperPro/UltraPro/HardwareKey;C:\Windows\System32\drivers\SNTUSB64.SYS [2011-5-27 63528]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2012-6-9 15672]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-12-28 59392]
S3 WacHidRouter;Wacom Hid Router;C:\Windows\System32\drivers\wachidrouter.sys [2012-11-7 82416]
S3 wacomrouterfilter;Wacom Router Filter Driver;C:\Windows\System32\drivers\wacomrouterfilter.sys [2012-11-7 15344]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-28 1255736]
S4 WatGorp;WatGorp;C:\ProgramData\GorillaPrice\WatGorp.exe -service --> C:\ProgramData\GorillaPrice\WatGorp.exe -service [?]
.
=============== File Associations ===============
.
FileExt: .js: Applications\notepad++.exe="C:\Users\AngelaReyes\Desktop\FOLDERS\npp.5.9.8.bin\unicode\notepad++.exe" "%1" [userChoice]
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS4\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-08-23 14:43:30    --------    d-----w-    C:\AdwCleaner
2013-08-23 14:25:10    --------    d-----w-    C:\Windows\ERUNT
2013-08-23 13:35:40    9515512    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E54D95DF-EF8C-484A-97CE-30872E04055B}\mpengine.dll
2013-08-21 23:42:32    108968    ----a-w-    C:\Windows\System32\WindowsAccessBridge-64.dll
2013-08-21 21:23:09    --------    d-----w-    C:\Program Files (x86)\stinger
2013-08-21 19:24:35    --------    d-----w-    C:\Users\AngelaReyes\AppData\Roaming\Malwarebytes
2013-08-21 19:24:08    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-08-21 19:24:07    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-08-21 19:24:07    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-21 19:19:42    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-08-20 20:38:49    --------    d-----w-    C:\Users\AngelaReyes\AppData\Local\Citrix
2013-08-14 16:01:48    --------    d-----w-    C:\Windows\System32\MRT
2013-08-14 09:01:31    1910208    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-08-02 21:25:11    --------    d-----w-    C:\Windows\System32\appmgmt
2013-08-01 22:09:16    --------    d-----w-    C:\Users\AngelaReyes\AppData\Roaming\Open Download Manager
2013-08-01 22:08:17    --------    d-----w-    C:\ProgramData\GorillaPrice
2013-08-01 22:07:56    --------    d-----w-    C:\Users\AngelaReyes\AppData\Roaming\GorillaPrice
2013-08-01 22:06:46    --------    d-----w-    C:\Program Files (x86)\OpenDownloaderManager
.
==================== Find3M  ====================
.
2013-08-23 14:49:41    25640    ----a-w-    C:\Windows\gdrv.sys
2013-08-21 23:42:26    972712    ----a-w-    C:\Windows\System32\deployJava1.dll
2013-08-21 23:42:26    1093032    ----a-w-    C:\Windows\System32\npDeployJava1.dll
2013-07-26 05:13:37    2241024    ----a-w-    C:\Windows\System32\wininet.dll
2013-07-26 05:12:08    3958784    ----a-w-    C:\Windows\System32\jscript9.dll
2013-07-26 05:12:04    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2013-07-26 05:12:03    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2013-07-26 03:35:08    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-07-26 03:13:24    1767936    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-07-26 03:12:04    2877440    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-07-26 03:12:00    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2013-07-26 03:12:00    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2013-07-26 02:49:14    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-07-26 02:39:38    89600    ----a-w-    C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-26 01:59:38    71680    ----a-w-    C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-07-25 09:25:54    1888768    ----a-w-    C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27    1620992    ----a-w-    C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-20 00:10:50    189936    ----a-w-    C:\Windows\System32\drivers\aswVmm.sys
2013-07-20 00:10:50    1030952    ----a-w-    C:\Windows\System32\drivers\aswSnx.sys
2013-07-19 01:58:42    2048    ----a-w-    C:\Windows\System32\tzres.dll
2013-07-19 01:41:01    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2013-07-15 18:24:49    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-15 18:24:49    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-09 06:03:30    5550528    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-07-09 05:54:22    1732032    ----a-w-    C:\Windows\System32\ntdll.dll
2013-07-09 05:53:12    243712    ----a-w-    C:\Windows\System32\wow64.dll
2013-07-09 05:52:52    224256    ----a-w-    C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16    1217024    ----a-w-    C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20    184320    ----a-w-    C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20    1472512    ----a-w-    C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20    139776    ----a-w-    C:\Windows\System32\cryptnet.dll
2013-07-09 05:03:34    3968960    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-07-09 05:03:34    3913664    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-07-09 04:53:47    1292192    ----a-w-    C:\Windows\SysWow64\ntdll.dll
2013-07-09 04:52:33    663552    ----a-w-    C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:33    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-07-09 04:52:10    175104    ----a-w-    C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31    140288    ----a-w-    C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31    1166848    ----a-w-    C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31    103936    ----a-w-    C:\Windows\SysWow64\cryptnet.dll
2013-07-09 04:45:07    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2013-07-09 02:49:42    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-07-09 02:49:41    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-07-09 02:49:39    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-07-09 02:49:38    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-06-15 04:32:16    39936    ----a-w-    C:\Windows\System32\drivers\tssecsrv.sys
2013-06-05 03:34:27    3153920    ----a-w-    C:\Windows\System32\win32k.sys
2013-06-04 06:00:13    624128    ----a-w-    C:\Windows\System32\qedit.dll
2013-06-04 04:53:07    509440    ----a-w-    C:\Windows\SysWow64\qedit.dll
.
============= FINISH:  9:17:34.18 ===============
 

I zipped and attached the 'Attach' file as the file instructs.

 

Thanks and I look forward to your response,

Ana

 

attach.zip

[Maniac]

All of these tools are designed for a special cases, they are not for every day use. You should be more careful with them.

Step 1

Please uninstall the following applications:

BadGorillaPrice

Little Registry Cleaner

About these registry cleaners, we do not recommend them. Here's why:

miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

Step 2

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Step 3

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

Step 4

• Launch Malwarebytes' Anti-Malware
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

• Junkware Removal Tool log
• AdwCleaner log
• Malwarebytes' Anti-Malware log

[AnaB29]

BadGorilla Price can't be removed--not with add remove programs or CCLeaner. It's actually just called GorillaPrice, I renamed it to BadGorillaPrice in the hopes that it would not function properly, but that had no effect, so you may see it in one of the files below with its proper name, Gorilla Price.

 

The reason that I used all of those different programs is that one by one, none of them was able to remove the program or stop the process.

 

I was able to uninstall Little Registry Cleaner.

 

Here are the log files, first is JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.4 (08.22.2013:1)
OS: Windows 7 Professional x64
Ran by AngelaReyes on Fri 08/23/2013 at 16:31:14.20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\uniblue



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/23/2013 at 16:42:24.92
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

Next is AdwC:

 

# AdwCleaner v3.000 - Report created 23/08/2013 at 16:53:14
# Updated 20/08/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : AngelaReyes - BIGBOX2
# Running from : C:\Users\AngelaReyes\Desktop\CLEANIES\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\AngelaReyes\AppData\Local\PutLockerDownloader

***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16660


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\AngelaReyes\AppData\Roaming\Mozilla\Firefox\Profiles\cqidhyz6.default\prefs.js ]


-\\ Google Chrome v29.0.1547.57

[ File : C:\Users\AngelaReyes\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : icon_url
Deleted : search_url
Deleted : keyword

*************************

AdwCleaner[R0].txt - [2753 octets] - [23/08/2013 07:43:39]
AdwCleaner[R1].txt - [1174 octets] - [23/08/2013 16:23:49]
AdwCleaner[R2].txt - [1235 octets] - [23/08/2013 16:52:03]
AdwCleaner[s0].txt - [2881 octets] - [23/08/2013 07:46:22]
AdwCleaner[s1].txt - [1166 octets] - [23/08/2013 16:53:14]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [1226 octets] ##########
 

 

 

and last is MBAM:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.23.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
AngelaReyes :: BIGBOX2 [administrator]

Protection: Enabled

8/23/2013 5:00:20 PM
mbam-log-2013-08-23 (17-00-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 249370
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 

Gorilla Price is still running.

Thanks so much for your help I look forward to hearing back from you!

Ana

 

 

 

 

 

[Maniac]

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
• Please copy/paste the contents or attach that log file to your next reply.
• If needed the file can be located here: C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

[AnaB29]

OK...

I ran ComboFix and I had to attach the log because this system said it was too long to paste here.  So far it appears to have taken care of the GorillaPrice nonsense. One question though, while it was going through the 'completed stages' part, a dialog box appeared stating that PEV.exe had stopped working and Windows will close the program, blah, blah, blah.  The box closed when the stages were done.  Do you know what this was about?

 

Can you recommend a good source for learning about malware/virus removal and computer health and maintenance?

 

Thanks, and I look forward to hearing back from you.

Ana

 

log.txt

 

 

[Maniac]

Can you recommend a good source for learning about malware/virus removal and computer health and maintenance?

Take a look here:

http://forums.malwarebytes.org/index.php?showtopic=12264

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::

WatGorp

File::

c:\windows\system32\DRIVERS\WatGorp.sys

Folder::

c:\users\AngelaReyes\AppData\Roaming\GorillaPrice

c:\programdata\GorillaPrice

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[AnaB29]

Ok, attached is the second ComboFix log.

 

Thanks,

Analog2.txt

[Maniac]

Please scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

  ESET OnlineScan

• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.

    Save it to your Desktop.

  • Double click on the to download the ESET Smart Installer. icon on your Desktop.
• Check "YES, I accept the Terms of Use."
• Click the Start button.
• Accept any security warnings from your browser.
• Under Scan Settings, check "Scan Archives" and "Remove found threats"
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click List Threats
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

[AnaB29]

I ran ESET and there were no threats, hence no file to export.  I did attach the image of the last screen.

 

 

Does this mean I'm all clear?

 

 

[Maniac]

Your system should be clean now.

How are things there?

[AnaB29]

Yes, my system is clean and is running faster than it was, even before I got infected 2 weeks ago. I have not noticed any negative issues that some have reported after using ComboFix.

 

Thank you so much for your help.  I really appreciate being able to just pop online and get almost instant and expert assistance in a situation like this.

 

Cheers,

Ana

[Maniac]

You're welcome, Ana!

Step 1

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Step 2

• Double click on AdwCleaner.exe to run the tool.
• Click on Uninstall
• Confirm with Yes

Step 3

Please uninstall ESET Online Scanner

Step 4

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.