## Recommended Posts

Hi,

I opened an attachment on an email this morning that contained a Trojan. I have attached the dds.txt and attach.txt to this post. Hope I have done it right...

dds.txt

attach.txt

##### Share on other sites

Hello! Welcome to Malwarebytes Forums!
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The logs can take some time to research, so please be patient with me.
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
• Instructions that I give are for your system only!
• Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
• Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
• Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

Regards,
Georgi

##### Share on other sites

can result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-09-2013
Ran by Janilec5 (administrator) on JANILEC5 on 23-09-2013 13:06:40
Running from C:\Users\Janilec5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STYEW0H2
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
() C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Safer Networking Ltd.) C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
(brother) C:\Program Files\Brownie\BrStsWnd.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Sun Microsystems, Inc.) C:\Windows\System32\jusched.exe
(Microsoft Corporation) C:\Windows\system32\ntvdm.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [brStsWnd] - C:\Program Files\Brownie\BrstsWnd.exe [3618104 2009-08-19] (brother)
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2054360 2009-09-11] (ESET)
HKLM\...\Run: [GrooveMonitor] - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKCU\...\Run: [Hoim] - C:\Users\Janilec5\AppData\Roaming\Vyqiic\hoim.exe [342016 2011-10-18] ()
HKCU\...\Run: [wicusealuddi] - C:\Users\Janilec5\wicusealuddi.exe [66560 2013-09-23] ()
HKCU\...\Run: [Regedit32] - C:\Windows\system32\regedit.exe
MountPoints2: D - D:\LaunchU3.exe -a
MountPoints2: {b402af4a-d27b-11e0-8df5-806e6f6e6963} - Q:\LenovoQDrive.exe
MountPoints2: {eda7506d-b525-11e1-9cf4-f80f412ca4f8} - D:\LaunchU3.exe -a
HKU\Default\...\RunOnce: [] -
HKU\Default\...\RunOnce: [Lenovoautoqdrive] - C:\PROGRA~1\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe [ 2009-03-24] ()
HKU\Default User\...\RunOnce: [] -
HKU\Default User\...\RunOnce: [Lenovoautoqdrive] - C:\PROGRA~1\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe [ 2009-03-24] ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.msn.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre
SearchScopes: HKLM - DefaultScope {599C78E9-E5CD-4979-B801-353D8567C92C} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {599C78E9-E5CD-4979-B801-353D8567C92C} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKCU - DefaultScope {599C78E9-E5CD-4979-B801-353D8567C92C} URL =
SearchScopes: HKCU - {599C78E9-E5CD-4979-B801-353D8567C92C} URL =
BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Janilec5\AppData\Roaming\Mozilla\Firefox\Profiles\obydxa1s.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_168.dll ()
FF Plugin: @garmin.com/GpsControl - C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin: @java.com/DTPlugin,version=10.7.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.7.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.7 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: Eset Plugin - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

Chrome:
=======

CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\29.0.1547.76\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\29.0.1547.76\pdf.dll ()
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.6.5) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Garmin Communicator Plug-In) - C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
CHR Plugin: (Java Platform SE 7 U7) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.70.10) - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll No File
CHR Extension: (Chrome In-App Payments service) - C:\Users\Janilec5\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR Extension: (Gmail) - C:\Users\Janilec5\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

========================== Services (Whitelisted) =================

S3 EhttpSrv; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [20680 2009-09-11] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [735960 2009-09-11] (ESET)
R2 PelService; C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe [184320 2010-04-22] ()
R2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-14] (Microsoft Corporation)
R2 eamon; C:\Windows\System32\DRIVERS\eamon.sys [116008 2009-09-11] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [108792 2009-09-11] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [95896 2009-09-11] (ESET)
R3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [19456 2009-11-02] (TPMX Electronics Ltd.)
R3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [24576 2010-05-04] (TPMX Electronics Ltd.)
U3 mbr; \??\C:\Users\Janilec5\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-23 13:05 - 2013-09-23 13:05 - 00000000 ____D C:\FRST
2013-09-23 12:49 - 2013-09-23 13:06 - 00000000 ___HT C:\Users\Janilec5\Desktop\~archive 19.10.12.pst.tmp
2013-09-23 12:30 - 2013-09-23 12:41 - 00011708 _____ C:\Users\Janilec5\Desktop\dds.txt
2013-09-23 12:30 - 2013-09-23 12:41 - 00010955 _____ C:\Users\Janilec5\Desktop\attach.txt
2013-09-23 12:24 - 2013-09-23 12:31 - 00090112 _____ C:\Windows\system32\Drivers\ndiswan.sys.bak
2013-09-23 10:25 - 2013-09-23 10:25 - 00001062 _____ C:\Windows\PFRO.log
2013-09-23 09:57 - 2013-09-23 09:57 - 00066560 _____ C:\Users\Janilec5\wicusealuddi.exe
2013-09-23 08:08 - 2013-09-23 12:18 - 00000336 _____ C:\Windows\setupact.log
2013-09-23 08:08 - 2013-09-23 08:08 - 00000000 _____ C:\Windows\setuperr.log
2013-09-20 11:26 - 2013-09-20 11:26 - 00000000 ____D C:\Users\Janilec5\AppData\Local\{85A9D59B-D783-4D93-B107-61D69C79A6C2}
2013-09-13 14:47 - 2013-09-13 14:47 - 00000000 ____D C:\Users\Janilec5\AppData\Local\{332A0776-2430-4B28-8EBB-40909072A434}
2013-09-12 15:41 - 2013-09-12 15:41 - 17750408 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerInstaller.exe
2013-09-11 08:57 - 2013-08-10 04:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-11 08:57 - 2013-08-10 04:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-11 08:57 - 2013-08-10 04:59 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-09-11 08:57 - 2013-08-10 04:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-11 08:57 - 2013-08-10 04:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-09-11 08:57 - 2013-08-10 04:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-11 08:57 - 2013-08-10 03:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-09-11 08:53 - 2013-08-08 02:03 - 02348544 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-09-11 08:53 - 2013-08-05 02:56 - 00133056 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ataport.sys
2013-09-11 08:53 - 2013-08-02 02:50 - 00169984 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2013-09-11 08:53 - 2013-08-02 02:49 - 00868352 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-09-11 08:53 - 2013-08-02 02:49 - 00293376 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 01:52 - 00271360 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2013-09-11 08:53 - 2013-08-02 01:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 01:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 01:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-11 08:53 - 2013-08-02 01:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-09-11 08:53 - 2013-07-26 02:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2013-09-11 08:53 - 2013-07-26 02:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll
2013-09-06 12:04 - 2013-09-17 11:13 - 00020665 _____ C:\Users\Janilec5\Desktop\EditedDocument-Consumables.xlsx

==================== One Month Modified Files and Folders =======

2013-09-23 13:06 - 2013-09-23 12:49 - 00000000 ___HT C:\Users\Janilec5\Desktop\~archive 19.10.12.pst.tmp
2013-09-23 13:06 - 2013-05-24 09:56 - 00271360 _____ C:\Users\Janilec5\Desktop\archive 19.10.12.pst
2013-09-23 13:05 - 2013-09-23 13:05 - 00000000 ____D C:\FRST
2013-09-23 12:41 - 2013-09-23 12:30 - 00011708 _____ C:\Users\Janilec5\Desktop\dds.txt
2013-09-23 12:41 - 2013-09-23 12:30 - 00010955 _____ C:\Users\Janilec5\Desktop\attach.txt
2013-09-23 12:31 - 2013-09-23 12:24 - 00090112 _____ C:\Windows\system32\Drivers\ndiswan.sys.bak
2013-09-23 12:27 - 2013-04-03 16:42 - 00000000 ____D C:\Users\Janilec5\Desktop\PDF
2013-09-23 12:25 - 2009-07-14 05:34 - 00030688 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-23 12:25 - 2009-07-14 05:34 - 00030688 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-23 12:18 - 2013-09-23 08:08 - 00000336 _____ C:\Windows\setupact.log
2013-09-23 12:18 - 2011-10-13 17:17 - 00000135 _____ C:\Windows\Brownie.ini
2013-09-23 12:18 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-23 12:17 - 2011-08-29 21:20 - 01119519 _____ C:\Windows\WindowsUpdate.log
2013-09-23 10:32 - 2011-10-13 14:33 - 00000000 ____D C:\Users\Janilec5\AppData\Roaming\Macromedia
2013-09-23 10:25 - 2013-09-23 10:25 - 00001062 _____ C:\Windows\PFRO.log
2013-09-23 09:57 - 2013-09-23 09:57 - 00066560 _____ C:\Users\Janilec5\wicusealuddi.exe
2013-09-23 09:57 - 2011-10-12 15:05 - 00000000 ____D C:\Users\Janilec5
2013-09-23 08:59 - 2013-02-05 20:59 - 00002140 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-09-23 08:11 - 2011-10-14 17:30 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-09-23 08:08 - 2013-09-23 08:08 - 00000000 _____ C:\Windows\setuperr.log
2013-09-20 11:26 - 2013-09-20 11:26 - 00000000 ____D C:\Users\Janilec5\AppData\Local\{85A9D59B-D783-4D93-B107-61D69C79A6C2}
2013-09-17 11:13 - 2013-09-06 12:04 - 00020665 _____ C:\Users\Janilec5\Desktop\EditedDocument-Consumables.xlsx
2013-09-13 17:44 - 2013-03-27 16:29 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-13 14:47 - 2013-09-13 14:47 - 00000000 ____D C:\Users\Janilec5\AppData\Local\{332A0776-2430-4B28-8EBB-40909072A434}
2013-09-12 17:41 - 2012-05-10 15:53 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-12 15:41 - 2013-09-12 15:41 - 17750408 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerInstaller.exe
2013-09-12 15:41 - 2012-05-10 15:53 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-09-12 15:41 - 2012-05-10 15:53 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-09-12 15:15 - 2011-10-19 12:46 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-09-12 08:22 - 2009-07-14 05:53 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-11 17:35 - 2011-02-15 08:38 - 00000000 ____D C:\Windows\Panther
2013-09-11 14:28 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\rescache
2013-09-11 11:27 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-09-11 09:04 - 2009-07-14 05:33 - 03808840 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-11 08:56 - 2013-07-10 10:24 - 00000000 ____D C:\Windows\system32\MRT
2013-09-11 08:54 - 2011-12-07 18:11 - 76725432 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-09-06 10:25 - 2013-07-26 10:57 - 00219648 _____ C:\Users\Janilec5\Desktop\Clover Stock.xls
2013-09-06 09:46 - 2013-07-31 11:24 - 00000000 ____D C:\Users\Janilec5\Desktop\Purchase Order Sheets
2013-09-05 11:57 - 2011-10-13 17:22 - 00000426 _____ C:\Windows\BRWMARK.INI
2013-09-02 16:47 - 2013-05-15 10:25 - 00000000 ____D C:\Users\Janilec5\Desktop\SJ Instructions & Info
2013-08-29 17:42 - 2013-06-27 15:19 - 00000976 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-08-29 17:42 - 2013-06-27 15:19 - 00000000 ____D C:\Program Files\CCleaner

Files to move or delete:
====================
C:\Users\Janilec5\wicusealuddi.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-06-24 12:48

==================== End Of Log ============================

##### Share on other sites

I hope I did this right?

##### Share on other sites

Hi...

Can anyone help me with this please?

##### Share on other sites

Please be patient. There are many people seeking help at the same time!
Cleaning malware is a difficult task, and it takes a trained eye to catch the offending code.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.

I'll catch ypu later since I am at work right now.

Regards,

Georgi

##### Share on other sites

Hi, thanks for your help. Appreciate it. It wouldn't let me paste so I have attached it.

Fixlog.txt

##### Share on other sites

Hi,

Regarding the fixlog.txt you probably pressed the FIX button twice?

Regards,

Georgi

##### Share on other sites

Hope this is correct. I ran the FRST then pressed fix once.

FRST.txt

Fixlog.txt

##### Share on other sites

Hi,

The log look good. There are only a few leftovers:

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.

Let's do some scans to be sure all is ok now and to verify that nothing is still lurking in the system.

STEP 1

• Close all windows and browsers
• Right-click the program and select 'Run as Administrator'
• Press the scan button.
• A report opens on the desktop named - RKreport.txt

STEP 2

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
• Put a checkmark beside loaded modules.
• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.
• Click the Start Scan button.
• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the results to your next reply.

STEP 3

• Please start the application by double-click on it's icon.
• Once the program has loaded go to the UPDATE tab and check for updates.
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad.

Regards,

Georgi

##### Share on other sites

Hi,

Sorry for the delay - I was at work till now.

You missed the step above RogueKiller...

Otherwise all logs are clean. How are things now?

Regards,

Georgi

##### Share on other sites

Just running a scan now. Thanks! Have attached the other log.

##### Share on other sites

Sorry. I didn't attach. I attached it to this one.

RKreport0_S_09242013_140643.txt

##### Share on other sites

The scans came up clean. Thank you for all your help! Really appreciated.

##### Share on other sites

Hi,

You didn't post the Fixlog.txt after the latest script (the step above RogueKiller) and you attached the Roguekiller log instead?

Regards,

Georgi

##### Share on other sites

Hi,

Are you still with me? Anyway - your last logs were clean so here it is my All Clean:

Nicely done ! This is the end of our journey if you don't have any more questions.
I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

STEP 1 CLEANUP

To remove all of the tools we used and the files and folders they created, please do the following:

Download the following file =>  fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.

• Right-click the OTC.exe and choose Run as Administrator.
• Click on CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

• Please start it and check the box next to "Remove disinfection tools" and click on the run button.
• The tool will delete itself once it finishes.

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately !! (just in case).
You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.If you do Online Banikng please read the article below:
Online Banking Protection Against Identity Theft

Keep your antivirus software turned on and up-to-date

• Make sure your antivirus software is turned on and up-to-date.
• New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Note:
• You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
• You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.

Install HIPS based software

HIPS based software controls what an application is allowed to do and not allowed to do.
It monitors what each application tries to do, how it use the internet and give you the ability to block any suspicious activity occurring on your computer.
In my opinion the best way to prevent an unknown malware from gaining access is to use some HIPS programs (like COMODO, PrivateFirewall, Online Armor etc.) to control the access rights of legitimate applications, although this would only be advisable for experienced users...
However, you should be aware though that (if you install Comodo Firewall and not the whole package Comodo Internet Security) this is not an replacement for a standard antivirus application. It's a great tool to add another layer of protection to your existent antivirus application. It takes some time and knowledge to configure it for individual purposes but once done, you should not have a problems with it.
There are so many reviews on YouTube and blogs about all these programs.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency...

If you like Comodo you should choose for yourself which version of Comodo you will use 5 or 6. Personally I stick to version 5!
COMODO V5 & V6 Users Count Poll

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:

• If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that.  Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
• .exe, .com, .bat, .pif, .scr, .vb, .vbe, .vbs, .ws, .wsf, .shs, .hta, .jar, .js or .jse do not open the attachment unless you know for a fact that it is clean.  For the casual computer user, you will almost never receive a valid attachment of this type.
• If you receive an attachment from someone you know, and it looks suspicious, then it probably is.  The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
• If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
• Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message  or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you.  We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window.  If there is a menu that comes up saying Add to Favorites... you know it's a fake.
• Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
• When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
• Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
• Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
• DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

MOZILLA FIREFOX

To prevent further infections be sure to install the following add-ons NoScript and AdBlock Plus.

Adblock Plus can be found here.

NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.

NoScript can be found here

If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.

However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access

For Internet Explorer 9/10 read the articles below:

Security and privacy features in Internet Explorer 9

Security in Internet Explorer 10

Immunize your browsers with SpywareBlaster 5 and Spybot Search and Destroy 1.6

Also MBAM acquired the following software Malwarebytes Anti-Exploit and it should work with the most popular browsers. Beware the product is in beta stage.

Disable the dangerous services you don't need and don't use like Remote Registy, Server, SSDP Discovery, RemoteAccess etc. (if you don't feel confortable to change the services configuration then please skip this step). It's a good idea to disable the autorun functionality using the following tool to prevent spreading of the infections from USB flash drives.

Make the extensions for known file types visible:

Be wary of files with a double extension such as jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.

Create an image of your system

• Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
• Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
• The tutorials can be found here.
• Be sure to read the tutorial first.

Optimize Windows 7 for better performance

Follow this list and your potential for being infected again will reduce dramatically.

Safe Surfing!

Cheers,
Georgi

##### Share on other sites

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

##### Share on other sites

This topic is now closed to further replies.
• ### Recently Browsing   0 members

×

• Back

• Blog
• #### Support

×
• Create New...