Jump to content

trojan horse that i cant find.


Recommended Posts

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

here are the two logs.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16736
Run by sana at 12:50:46 on 2013-12-14
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.1787.617 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Synaptics\Scrybe\Service\ScrybeUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avwebg7.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\Scrybe\scrybe.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
uRun: [Google Update] "c:\users\sana\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [AVG-Secure-Search-Update_0913b] c:\users\sana\appdata\roaming\avg 0913b campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 22242d63f2b747d0b636a9e586b6f9a5-8ff115c5f4ba83852439df8769716decec4794ac --CMPID 0913b
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtkNGUI.exe -s
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
dRunOnce: [sPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\scrybe.lnk - c:\windows\installer\{147dfad8-34c3-4de1-9fca-acefde9ef810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B058F6EE-9135-480E-B33F-D7577FA6DED4} : DHCPNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sana\appdata\roaming\mozilla\firefox\profiles\t0bj6uuv.default\

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\sana\appdata\local\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2013-10-23 19:44; toolbar_AVIRA-V7@apn.ask.com; c:\users\sana\appdata\roaming\mozilla\firefox\profiles\t0bj6uuv.default\extensions\toolbar_AVIRA-V7@apn.ask.com.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-12-13 37352]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2012-11-22 87968]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-7-4 217088]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-7-4 291840]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-12-13 440376]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-12-13 440376]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebg7.exe [2013-12-13 1164360]
R2 AODDriver4.1;AODDriver4.1;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2012-3-5 45184]
R2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2013-10-23 166352]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-12-13 90400]
R2 avnetflt;avnetflt;c:\windows\system32\drivers\avnetflt.sys [2013-12-13 67680]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-9-9 86072]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-6-1 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-6-1 701512]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104768]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\realtek\rtvosd\RtVOsdService.exe [2010-6-24 315392]
R2 ScrybeUpdater;Scrybe Updater;c:\program files\synaptics\scrybe\service\ScrybeUpdater.exe [2011-5-27 1300264]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2012-6-22 37944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-6-1 22856]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2012-6-22 278560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-7-5 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-6-24 1343400]
SUnknown zugtrhme;zugtrhme; [x]
.
=============== Created Last 30 ================
.
2013-12-14 11:45:57 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-14 11:45:16 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-12-14 11:26:07 104664 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-12-14 04:38:52 -------- d-----w- C:\FRST
2013-12-13 22:18:58 -------- d-----w- c:\users\sana\appdata\local\Avg2013
2013-12-13 21:53:46 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b5d74456-a1e6-4df7-b6da-3ae8f4f9ddba}\offreg.dll
2013-12-13 19:57:04 -------- d-----w- C:\TDSSKiller_Quarantine
2013-12-13 16:49:51 -------- d-----w- c:\users\sana\appdata\roaming\Avira
2013-12-13 16:48:09 -------- d-----w- c:\programdata\AskPartnerNetwork
2013-12-13 16:48:08 -------- d-----w- c:\program files\AskPartnerNetwork
2013-12-13 16:45:13 -------- d-----w- c:\programdata\APN
2013-12-13 16:40:23 67680 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2013-12-13 16:38:48 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-12-13 16:38:47 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-12-13 16:38:05 -------- d-----w- c:\programdata\Avira
2013-12-13 16:38:05 -------- d-----w- c:\program files\Avira
2013-12-12 20:02:07 7772552 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b5d74456-a1e6-4df7-b6da-3ae8f4f9ddba}\mpengine.dll
2013-12-11 11:50:36 7772552 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-12-10 19:00:38 -------- d-sh--w- C:\found.002
2013-12-08 19:26:33 -------- d-----w- c:\programdata\Oracle
2013-12-07 15:52:33 719224 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9e747e5e-b428-4a70-aac0-a7932b30b263}\gapaengine.dll
.
==================== Find3M  ====================
.
2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-12 07:03:50 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-10-12 07:02:33 2877952 ----a-w- c:\windows\system32\jscript9.dll
2013-10-12 07:02:29 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-10-12 07:02:29 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-10-12 06:08:58 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-12 05:15:39 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-10-12 02:03:08 656896 ----a-w- c:\windows\system32\nshwfp.dll
2013-10-12 02:01:41 679424 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-10-12 02:01:25 216576 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-10-05 19:57:25 1168384 ----a-w- c:\windows\system32\crypt32.dll
2013-10-03 01:58:07 305152 ----a-w- c:\windows\system32\gdi32.dll
2013-09-27 09:53:06 214696 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-09-27 09:53:06 104768 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-09-25 02:01:08 136640 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-25 02:01:06 67520 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2013-09-25 01:57:46 99840 ----a-w- c:\windows\system32\sspicli.dll
2013-09-25 01:57:26 22016 ----a-w- c:\windows\system32\secur32.dll
2013-09-25 01:57:24 247808 ----a-w- c:\windows\system32\schannel.dll
2013-09-25 01:56:42 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-09-25 01:56:02 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-25 00:49:20 22016 ----a-w- c:\windows\system32\lsass.exe
2013-09-25 00:49:18 15872 ----a-w- c:\windows\system32\sspisrv.dll
.
============= FINISH: 12:52:08.26 ===============

 

 

 

 

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 22/06/2012 19:49:38
System Uptime: 14/12/2013 11:10:23 (1 hours ago)
.
Motherboard: Hewlett-Packard |  | 1604
Processor: AMD V140 Processor | Socket S1G4 | 2300/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 50.616 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 0 GiB total, 0.068 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe Reader X (10.1.3)
AMD Accelerated Video Transcoding
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Fuel
AMD Media Foundation Decoders
AMD VISION Engine Control Center
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG PC Tuneup
Avira Free Antivirus
Avira SearchFree Toolbar
Bonjour
Broadcom 802.11 Wireless LAN Adapter
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
D3DX10
Driving Test Success - All Tests 2012 Edition
ESU for Microsoft Windows 7
Google Chrome
Google Earth Plug-in
Google Update Helper
Hewlett-Packard ACLM.NET v1.1.2.0
HP Advisor
HP Customer Experience Enhancements
HP Power Manager
HP Product Detection
HP Software Framework
HP Support Assistant
iTunes
JavaFX 2.1.1
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Movie Maker
Mozilla Firefox 25.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT110
Notepad++
Photo Common
Photo Gallery
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
RtVOsd
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Synaptics Gesture Suite featuring SYNAPTICS | Scrybe
Synaptics Pointing Device Driver
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
.
==== Event Viewer Messages From Past Week ========
.
14/12/2013 11:25:54, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:    Previous Signature Version: 1.163.1837.0   Update Source: Microsoft Update Server   Update Stage: Download   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:    Previous Engine Version: 1.1.10100.0   Error code: 0x80240022   Error description: The program can't check for definition updates.
14/12/2013 11:25:54, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:    Previous Signature Version: 1.163.1837.0   Update Source: Microsoft Update Server   Update Stage: Download   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:    Previous Engine Version: 1.1.10100.0   Error code: 0x80240022   Error description: The program can't check for definition updates.
13/12/2013 21:35:55, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.163.1923.0).
13/12/2013 21:30:58, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:    Previous Signature Version: 1.163.1837.0   Update Source: Microsoft Update Server   Update Stage: Install   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:    Previous Engine Version: 1.1.10100.0   Error code: 0x80070643   Error description: Fatal error during installation.
13/12/2013 20:48:38, Error: Server [2505]  - The server could not bind to the transport \Device\NetBT_Tcpip_{B058F6EE-9135-480E-B33F-D7577FA6DED4} because another computer on the network has the same name.  The server could not start.
13/12/2013 20:48:38, Error: NetBT [4321]  - The name "SANA-PC        :20" could not be registered on the interface with IP address 192.168.1.11. The computer with the IP address 192.168.1.8 did not allow the name to be claimed by this computer.
13/12/2013 20:23:09, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
13/12/2013 20:22:27, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
13/12/2013 20:20:54, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
13/12/2013 20:20:53, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
13/12/2013 20:20:52, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
13/12/2013 20:20:39, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
13/12/2013 20:20:23, Error: Microsoft-Windows-WLAN-AutoConfig [10000]  - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv.dll Error Code: 21
13/12/2013 20:20:21, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
13/12/2013 20:20:19, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AVGIDSDriver AVGIDSShim Avgldx86 avipbb avkmgr discache MpFilter spldr ssmdrv Wanarpv6
13/12/2013 20:20:06, Error: Service Control Manager [7001]  - The Microsoft Network Inspection System service depends on the Microsoft Malware Protection Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
13/12/2013 20:20:06, Error: Service Control Manager [7001]  - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error:  A device attached to the system is not functioning.
13/12/2013 19:41:37, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for FailureActions with the following error:  Access is denied.
13/12/2013 19:36:02, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
13/12/2013 19:12:43, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
13/12/2013 19:12:12, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
13/12/2013 19:12:03, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
13/12/2013 19:12:03, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
13/12/2013 19:11:19, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AVGIDSDriver AVGIDSShim Avgldx86 Avgtdix avipbb avkmgr DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr ssmdrv tdx vwififlt Wanarpv6 WfpLwf
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
13/12/2013 19:11:18, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
13/12/2013 16:53:03, Error: Service Control Manager [7031]  - The Avira Web Protection service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.
13/12/2013 16:51:32, Error: Service Control Manager [7031]  - The Avira Web Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.
13/12/2013 16:43:44, Error: Service Control Manager [7022]  - The Google Update Service (gupdate) service hung on starting.
13/12/2013 16:22:17, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AVGIDSDriver AVGIDSShim Avgldx86 Avgtdix DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
13/12/2013 01:48:03, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:Win32/Caphaw.AA&threatid=2147684110   Name: Backdoor:Win32/Caphaw.AA   ID: 2147684110   Severity: Severe   Category: Backdoor   Path: file:_C:\Users\sana\AppData\Roaming\OpenOffice\4\user\config\soffice.cfg\modules\swriter\images\Bitmaps\ROUTE.EXE   Detection Origin: Local machine   Detection Type: Concrete   Detection Source: Real-Time Protection   User: NT AUTHORITY\SYSTEM   Process Name: C:\Windows\explorer.exe   Action: Quarantine   Action Status:  No additional actions required   Error Code: 0x80070021   Error description: The process cannot access the file because another process has locked a portion of the file.    Signature Version: AV: 1.163.1837.0, AS: 1.163.1837.0, NIS: 109.61.0.0   Engine Version: AM: 1.1.10100.0, NIS: 2.1.10003.0
12/12/2013 22:32:32, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:Win32/Caphaw.AA&threatid=2147684110   Name: Backdoor:Win32/Caphaw.AA   ID: 2147684110   Severity: Severe   Category: Backdoor   Path: file:_C:\Users\sana\AppData\Roaming\Apple Computer\SyncServices\Local\autoconv.exe   Detection Origin: Local machine   Detection Type: Concrete   Detection Source: Real-Time Protection   User: NT AUTHORITY\SYSTEM   Process Name: C:\PROGRA~1\AVG\AVG2013\avgrsx.exe   Action: Quarantine   Action Status:  No additional actions required   Error Code: 0x80070021   Error description: The process cannot access the file because another process has locked a portion of the file.    Signature Version: AV: 1.163.1837.0, AS: 1.163.1837.0, NIS: 109.61.0.0   Engine Version: AM: 1.1.10100.0, NIS: 2.1.10003.0
12/12/2013 21:29:16, Error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:Win32/Caphaw.AA&threatid=2147684110   Name: Backdoor:Win32/Caphaw.AA   ID: 2147684110   Severity: Severe   Category: Backdoor   Path: file:_C:\Users\sana\AppData\Roaming\OpenOffice\4\user\database\biblio\mstsc.exe   Detection Origin: Local machine   Detection Type: Concrete   Detection Source: Real-Time Protection   User: NT AUTHORITY\SYSTEM   Process Name: C:\PROGRA~1\AVG\AVG2013\avgrsx.exe   Action: Quarantine   Action Status:  No additional actions required   Error Code: 0x80070021   Error description: The process cannot access the file because another process has locked a portion of the file.    Signature Version: AV: 1.163.1837.0, AS: 1.163.1837.0, NIS: 109.61.0.0   Engine Version: AM: 1.1.10100.0, NIS: 2.1.10003.0
11/12/2013 21:39:25, Error: NetBT [4321]  - The name "SANA-PC        :20" could not be registered on the interface with IP address 192.168.1.11. The computer with the IP address 192.168.1.3 did not allow the name to be claimed by this computer.
11/12/2013 21:39:25, Error: NetBT [4321]  - The name "SANA-PC        :0" could not be registered on the interface with IP address 192.168.1.11. The computer with the IP address 192.168.1.3 did not allow the name to be claimed by this computer.
11/12/2013 21:39:19, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
11/12/2013 12:44:45, Error: Service Control Manager [7034]  - The Scrybe Updater service terminated unexpectedly.  It has done this 1 time(s).
10/12/2013 19:14:19, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.
10/12/2013 19:08:43, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the HP Support Assistant Service service to connect.
10/12/2013 19:08:43, Error: Service Control Manager [7000]  - The HP Support Assistant Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

 

Link to post
Share on other sites

here is the log from rogue killer.

 

 

 

 

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : sana [Admin rights]
Mode : Scan -- Date : 12/14/2013 13:00:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_0913b (C:\Users\sana\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 22242d63f2b747d0b636a9e586b6f9a5-8ff115c5f4ba83852439df8769716decec4794ac --CMPID 0913b [-][x][x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-2838957069-480308185-38827263-1000\[...]\Run : AVG-Secure-Search-Update_0913b (C:\Users\sana\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 22242d63f2b747d0b636a9e586b6f9a5-8ff115c5f4ba83852439df8769716decec4794ac --CMPID 0913b [-][x][x]) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[84] : NtCreateSection @ 0x82E3612D -> HOOKED (Unknown @ 0x91DC139E)
[Address] SSDT[299] : NtRequestWaitReplyPort @ 0x82E50B12 -> HOOKED (Unknown @ 0x91DC13A8)
[Address] SSDT[316] : NtSetContextThread @ 0x82EF089F -> HOOKED (Unknown @ 0x91DC13A3)
[Address] SSDT[347] : NtSetSecurityObject @ 0x82E147F3 -> HOOKED (Unknown @ 0x91DC13AD)
[Address] SSDT[368] : NtSystemDebugControl @ 0x82E987DA -> HOOKED (Unknown @ 0x91DC13B2)
[Address] SSDT[370] : NtTerminateProcess @ 0x82E6DD76 -> HOOKED (Unknown @ 0x91DC133F)
[Address] Shadow SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x91DC13C6)
[Address] Shadow SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x91DC13CB)
[Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6D341E4B)
[Address] IAT @iexplore.exe (RegGetValueW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA0E47)
[Address] IAT @iexplore.exe (RegOpenKeyExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA468D)
[Address] IAT @iexplore.exe (RegCloseKey) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA469D)
[Address] IAT @iexplore.exe (RegQueryValueExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA46AD)
[Address] IAT @iexplore.exe (StrStrIW) : api-ms-win-downlevel-shlwapi-l1-1-0.dll -> HOOKED (C:\Windows\system32\shlwapi.DLL @ 0x76A446E9)
[Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6D341E4B)
[Address] IAT @iexplore.exe (RegGetValueW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA0E47)
[Address] IAT @iexplore.exe (RegOpenKeyExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA468D)
[Address] IAT @iexplore.exe (RegCloseKey) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA469D)
[Address] IAT @iexplore.exe (RegQueryValueExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA46AD)
[Address] IAT @iexplore.exe (StrStrIW) : api-ms-win-downlevel-shlwapi-l1-1-0.dll -> HOOKED (C:\Windows\system32\shlwapi.DLL @ 0x76A446E9)
[Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6D341E4B)
[Address] IAT @iexplore.exe (RegGetValueW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA0E47)
[Address] IAT @iexplore.exe (RegOpenKeyExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA468D)
[Address] IAT @iexplore.exe (RegCloseKey) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA469D)
[Address] IAT @iexplore.exe (RegQueryValueExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75AA46AD)
[Address] IAT @iexplore.exe (StrStrIW) : api-ms-win-downlevel-shlwapi-l1-1-0.dll -> HOOKED (C:\Windows\system32\shlwapi.DLL @ 0x76A446E9)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST98823AS ATA Device +++++
--- User ---
[MBR] 82017585dcaeea740f924daa21ac0140
[bSP] 10818847f2363fda626a011138e03188 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76217 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12142013_130008.txt >>

 

 

Link to post
Share on other sites

Not much showing, lets run some scans.

First:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Did you enable your anti-virus program???

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\windows\system32\drivers\bbrscczg.sys

c:\windows\system32\drivers\bcglrlod.sys

c:\windows\system32\drivers\cecifwmy.sys

c:\windows\system32\drivers\cllhsupk.sys

c:\windows\system32\drivers\dupkoaez.sys

c:\windows\system32\drivers\dxzdetrx.sys

c:\windows\system32\drivers\etfyigpv.sys

c:\windows\system32\drivers\fhdfzmqz.sys

c:\windows\system32\drivers\glfqktaf.sys

c:\windows\system32\drivers\hnruqtrk.sys

c:\windows\system32\drivers\hrxjitsu.sys

c:\windows\system32\drivers\ifiycnhc.sys

c:\windows\system32\drivers\jxdmmtrr.sys

c:\windows\system32\drivers\kegweohb.sys

c:\windows\system32\drivers\lztsqwxz.sys

c:\windows\system32\drivers\nvpludir.sys

c:\windows\system32\drivers\ogdjqhrp.sys

c:\windows\system32\drivers\qcnjtaxo.sys

c:\windows\system32\drivers\qnwmhmbn.sys

c:\windows\system32\drivers\rkqigpqp.sys

c:\windows\system32\drivers\rkzohsmp.sys

c:\windows\system32\drivers\shlunwdb.sys

c:\windows\system32\drivers\uwxghkir.sys

c:\windows\system32\drivers\uzhqujka.sys

c:\windows\system32\drivers\vtjxlwdo.sys

c:\windows\system32\drivers\vwspyjsp.sys

c:\windows\system32\drivers\xytfsbsn.sys

c:\windows\system32\drivers\zayxivou.sys

c:\windows\system32\drivers\zgivcqda.sys

c:\windows\system32\drivers\zmciasbt.sys

c:\windows\system32\drivers\zqdfcijl.sys

c:\windows\system32\drivers\zrbygtpn.sys

Driver::

bbrscczg

bcglrlod

cecifwmy

cllhsupk

dupkoaez

dxzdetrx

etfyigpv

fhdfzmqz

glfqktaf

hnruqtrk

hrxjitsu

ifiycnhc

jxdmmtrr

kegweohb

lztsqwxz

nvpludir

ogdjqhrp

qcnjtaxo

qnwmhmbn

rkqigpqp

rkzohsmp

shlunwdb

uwxghkir

uzhqujka

vtjxlwdo

vwspyjsp

xytfsbsn

zayxivou

zgivcqda

zmciasbt

zqdfcijl

zrbygtpn

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

Looks better.....next:

Download aswMBR to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

MrC

Link to post
Share on other sites

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Didn't you notice all the drivers bad in this post:

https://forums.malwarebytes.org/index.php?showtopic=138333&p=764362

---------------------------------

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

here is the security check log

 

 Results of screen317's Security Check version 0.99.77 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
Avira Desktop                  
 Antivirus up to date!  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 AVG PC Tuneup  
 JavaFX 2.1.1   
 Java version out of Date!
 Adobe Flash Player  11.9.900.170 
 Adobe Reader 10.1.3 Adobe Reader out of Date! 
 Mozilla Firefox (25.0.1)
 Google Chrome 31.0.1650.57 
 Google Chrome 31.0.1650.63 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 6%
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JavaFX 2.1.1 <---please uninstall from your add/remove programs
Java version out of Date! <-------Download and install the latest version (Java™ 7 Update 45) from Here. Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

------------------------------------------


Adobe Reader 10.1.3 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.