Jump to content

Think i have challenge, suspected undetectable rootkit.


Lodder
 Share

Recommended Posts

Hello there at Malware bytes,

 

I am trying to get rid of an intrusion on my homenetwork for over a week now.

The (3) machines having strange symptoms, like process explorer reverting back to windows taskmon, sudden crashes or stuttering during playing games and one system suddenly wouldn't boot anymore and was missing the 100mb system partition.

Event logs showed all kind of fishy stuff with system files changing owner and all that.

Also i saw all kinds of connections to outside to unresolvable ip addresses while no programs requiring so would be running.

For now i am trying to get my main system up and clean as to start from there to clean the rest.

I made a post on bleeping computer 18th of december but till now only have been assisted by the helpbot, can't blame them i guess since it's that time of the year you spent your time at home with the family the most.

I tried several new installs but every time came up with fishy symptoms and anti rootkit tools telling me things ain't right, for instance awsmbr telling me about irp_mj_create or gmer crashing or just not running at all, but no actual naming of some known virus or rootkit.

Scans by various tools usually show nothing, except one time when i left a newly installed system on and unattended for a day, then a scan found all kind of malware like ransomware, redirects, banking and the like.

Since then i did several windows 7 reinstalls on my main system trying to find when and how the intrusion takes place.

Below quoted my latest addition to the bleeping computer post, maybe a bit much to read but it will give you an idea of where i am at if you care to read :)

Also pasted the dds output. By the time you will read this i will probably have tried another time to install a clean system and the dds is outdated, but still.

I have been a unix system engineer in the past and am familiar with the basics of computing and networking, just i do not know microsoft products well.

 

Thanks in advance for your time and advice!

 

Best regards,

 

Serge

 

 

Well here another update, if you care to read!

I reinstalled win7 again, this time i deinstalled alot of bloat like mediacenter and other stuff since i suspected it being exploited looking at network traffic from installations i did before and where i could see lots of fishy stuff going on like ownership of system files being changed and alot of other activity in the event log that was not done by me when i let the system on during xmas unattended, sort of as a honeypot.
Before going online to run winupdate I disabled all non mandatory services as listed on black viper's site as to leave as least possible ways to attack the system, and configured the network adapter manually with static ip and gateway and dns servers, also disabled ipv6, client for ms networks, file and printer sharing and netbios.
Disabled the server service as well, all this resulting in no active UDP ports at all and a very few open tcp ports (eset firewall packet inspection before told me that my system was sending invalid udp packets to the home network).
Then i removed all the pre configured allow rules in win firewall.
Also made very sure no other systems were active on my home network, except for my iphone, and to have nothing connect with the system at all, like usb drives or the like.
I flashed the mainboard bios with new image with a cold boot from a cd and cleared rtc.
Installed win7 from original MS dvd on the ssd which i before that cleanst with diskpart converting between mbr and gpt, using cold boots with cleared rtc on bios from win7 dvd inbetween.
Running winupdate this time showed different servers looking at netstat, actually servers that were resolvable and not some unknown ip address like before, so that looked good, except maybe for the fact that the very first update i ran took about 2 minutes before it actually started downloading.
For the rest all went smooth untill sp1 update, it finished really fast and i saw no connections being made at all looking at netstat.
On the required restart it did put me through 3 restarts as usual though so maybe i am just paranoid by now and it was already pre downloaded.
Then after iexplore 10 update i got a prompt to install new windows updater again, the same one as is required at the very start of running winupdate, i found this odd but it gave me no other option so i proceeded.
Then the round of updates after that my keyboard and mouse did not come up on the welcome screen, so i reset the comp.
The next boot they worked again, but only after a long delay going on and off on the welcome screen.
Had a look at eventlog and noticed usb drivers were updated but this did not happen the times before i installed the system this week so i remained suspicious and did a system restore to before the iexplore 10 update round.
This rendered the system unusable as when the usb drivers were loaded just before the welcome screen the system crashed and rebooted. Tried a repair and nothing to repair was found.
Then i remembered what usb drivers were updated and booted from win7 dvd and copied the original ones over to the system.
This worked, the system would run again and i decided to try restore to an earlier point with system restore, but from that point system restore would in the end tell me the restore did not succeed, while for what i could see it actually did restore the usb drivers to a version inbetween the original drivers from the dvd and the latest ones that started the trouble.
Winupdate was telling me it would go on with iexplore 11 though, so apparantly the restore didn't work properly indeed.
I used system restore once more to undo the initial restore since it provided that option, and went back to the newest restore point and that seemed to go well, the problems with the usb drivers this time did not come up and while looking at the drivers they were indeed the latest ones installed, the ones that gave problems before.
So now i ran winupdate once again, for finalizing the updates but it required me to update the update service again... odd...
So i did, ran some more updates and after two rounds of rebooting it would tell me to run an update on winupdate service itself AGAIN (that's three times total, the same update, with the same name and version number...).
This went fine BUT then i ran awsmbr, it gave me initializing error 1 and would scan within 2 seconds and tell me all is fine... Bitdefender also tells me all is well within 1 second!
I ran gmer and it told me windows\system32\config\system was in use by another process right at start in a pop up box and would crash once i ran it.
Then i ran mcafee antiroot and it would tell me all is fine within 2-3 seconds... I ran catchme and it told me it cannot find c:\...
I ran tdsskiller and it would run fine giving green light and same for sophos, mbam, mbar and hitman pro, windows defender.
Still i am not even close to convinced the system is clean considering the problems with gmer, mcafee, bitdefender and catchme.
And ofcourse it's the time of the year you lot at bleeping are spending more time away from work, so yeah, i guess i'll go for another reinstall.
I am beginning to suspect my mainboard bios somehow is infected in a way that cannot be cleared by reflashing and resetting rtc though.
Or i am just paranoid by now and my system actually is clean, as i am also told by scans from various tools.
Just gmer aswmbr bitdefender and catchme keep me suspicious : /
By the way, merry days inbetween xmas and new year to you!
 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16428
Run by l0lcat at 5:07:42 on 2013-12-28
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1043.18.8159.6595 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
dRunOnce: [sPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: Interfaces\{BC65745C-7825-449E-97D2-B0031A564046} : NameServer = 208.67.222.222,208.67.220.220
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
R2 HitmanProScheduler;HitmanPro Scheduler;C:\Program Files\HitmanPro\hmpsched.exe [2013-12-28 109352]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-12-28 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-12-28 701512]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2013-12-27 125416]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2013-12-27 385512]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-12-28 25928]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-12-27 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-12-27 57856]
S3 WatAdminSvc;Windows Activation Technologies-service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-12-27 1255736]
S4 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-12-28 111616]
.
=============== Created Last 30 ================
.
2013-12-28 02:39:45 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BEC98D30-495D-4BCD-A1FD-AD5D6110B030}\offreg.dll
2013-12-28 02:01:53 -------- d-----w- C:\Program Files\HitmanPro
2013-12-28 02:01:27 -------- d-----w- C:\ProgramData\HitmanPro
2013-12-28 01:48:31 -------- d-----w- C:\ProgramData\Sophos
2013-12-28 01:48:29 73728 ----a-r- C:\Users\l0lcat\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-12-28 01:48:29 73728 ----a-r- C:\Users\l0lcat\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-12-28 01:48:29 73728 ----a-r- C:\Users\l0lcat\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-12-28 01:48:28 -------- d-----w- C:\Program Files (x86)\Sophos
2013-12-28 01:44:53 117464 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2013-12-28 01:44:53 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-28 01:44:32 89304 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2013-12-28 01:20:12 -------- d-----w- C:\Users\l0lcat\AppData\Roaming\Malwarebytes
2013-12-28 01:20:10 -------- d-----w- C:\ProgramData\Malwarebytes
2013-12-28 01:20:09 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-12-28 01:20:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-28 01:19:57 -------- d-----w- C:\Users\l0lcat\AppData\Local\Programs
2013-12-28 01:18:41 -------- d-----w- C:\Users\l0lcat\AppData\Local\Google
2013-12-28 01:18:33 -------- d-----w- C:\Users\l0lcat\AppData\Local\Deployment
2013-12-28 01:18:33 -------- d-----w- C:\Users\l0lcat\AppData\Local\Apps
2013-12-28 01:14:46 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-12-28 01:14:46 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-12-28 01:14:46 2871808 ----a-w- C:\Windows\explorer.exe
2013-12-28 01:14:46 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe
2013-12-28 01:14:45 67072 ----a-w- C:\Windows\splwow64.exe
2013-12-28 01:14:45 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2013-12-28 01:14:45 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-12-28 01:14:45 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2013-12-27 22:12:05 -------- d-----w- C:\Windows\Migration
2013-12-27 22:12:03 -------- d-sh--w- C:\Windows\Installer
2013-12-27 22:11:29 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2013-12-27 22:11:29 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
2013-12-27 22:11:29 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-12-27 22:11:29 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2013-12-27 22:11:29 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2013-12-27 22:11:29 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2013-12-27 22:11:29 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2013-12-27 22:02:50 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-12-27 21:55:09 -------- d-----w- C:\Windows\SysWow64\en
2013-12-27 21:55:09 -------- d-----w- C:\Windows\SysWow64\drivers\UMDF\en-US
2013-12-27 21:55:09 -------- d-----w- C:\Windows\SysWow64\drivers\en-US
2013-12-27 21:55:09 -------- d-----w- C:\Windows\SysWow64\0409
2013-12-27 21:55:08 -------- d-----w- C:\Windows\System32\en
2013-12-27 21:55:08 -------- d-----w- C:\Windows\System32\0409
2013-12-27 21:55:08 -------- d-----w- C:\Windows\en-US
2013-12-27 21:55:07 -------- d-----w- C:\Windows\System32\drivers\UMDF\en-US
2013-12-27 21:55:07 -------- d-----w- C:\Windows\System32\drivers\en-US
2013-12-27 21:27:57 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll
2013-12-27 21:24:45 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-12-27 21:23:33 878080 ----a-w- C:\Windows\System32\advapi32.dll
2013-12-27 21:10:31 -------- d-----w- C:\Windows\System32\SPReview
2013-12-27 21:05:00 96768 ----a-w- C:\Windows\System32\fsutil.exe
2013-12-27 21:05:00 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2013-12-27 21:05:00 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2013-12-27 21:05:00 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2013-12-27 21:05:00 2565632 ----a-w- C:\Windows\System32\esent.dll
2013-12-27 21:05:00 189824 ----a-w- C:\Windows\System32\drivers\storport.sys
2013-12-27 21:05:00 1699328 ----a-w- C:\Windows\SysWow64\esent.dll
2013-12-27 21:05:00 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2013-12-27 21:05:00 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
2013-12-27 21:05:00 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2013-12-27 21:02:38 -------- d-----w- C:\Windows\SysWow64\Wat
2013-12-27 21:02:38 -------- d-----w- C:\Windows\System32\Wat
2013-12-27 20:58:50 -------- d-----w- C:\Windows\System32\EventProviders
2013-12-27 20:43:48 -------- d-----w- C:\Windows\SysWow64\wbem\en-US
2013-12-27 20:43:48 -------- d-----w- C:\Windows\System32\wbem\en-US
2013-12-27 20:25:20 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2013-12-27 20:25:20 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2013-12-27 20:25:20 2560 ----a-w- C:\Windows\System32\drivers\nl-NL\wdf01000.sys.mui
2013-12-27 20:19:28 294912 ----a-w- C:\Windows\System32\browserchoice.exe
2013-12-27 20:13:09 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2013-12-27 20:13:09 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2013-12-27 20:13:08 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2013-12-27 20:13:08 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2013-12-27 20:13:08 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2013-12-27 20:13:08 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2013-12-27 20:13:08 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2013-12-27 20:11:04 -------- d-----w- C:\Windows\System32\MRT
2013-12-27 20:10:53 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-12-27 20:10:53 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-12-27 20:10:53 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-12-27 20:04:49 956928 ----a-w- C:\Windows\System32\localspl.dll
2013-12-27 20:04:49 39424 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\winprint.dll
2013-12-27 20:03:37 77312 ----a-w- C:\Windows\System32\packager.dll
2013-12-27 20:03:37 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-12-27 20:02:30 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-12-27 20:02:30 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-12-27 20:02:30 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-12-27 20:01:40 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BEC98D30-495D-4BCD-A1FD-AD5D6110B030}\mpengine.dll
2013-12-27 20:00:42 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-12-27 20:00:41 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-12-27 20:00:40 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-12-27 20:00:40 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-12-27 03:33:08 125416 ----a-w- C:\Windows\System32\drivers\asmthub3.sys
2013-12-27 03:32:42 385512 ----a-w- C:\Windows\System32\drivers\asmtxhci.sys
2013-12-27 03:31:28 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2013-12-27 02:25:50 -------- d---a-w- C:\tmp
2013-12-27 01:53:15 -------- d-----w- C:\Windows\Panther
.
==================== Find3M  ====================
.
2013-12-27 21:15:33 175616 ----a-w- C:\Windows\System32\msclmd.dll
2013-12-27 21:15:33 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2013-11-26 10:19:07 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2013-11-26 10:18:23 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2013-11-26 09:48:07 66048 ----a-w- C:\Windows\System32\iesetup.dll
2013-11-26 09:46:25 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2013-11-26 09:23:02 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-11-26 09:18:39 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-11-26 09:18:09 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2013-11-26 09:16:57 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2013-11-26 08:35:02 5769216 ----a-w- C:\Windows\System32\jscript9.dll
2013-11-26 08:28:16 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2013-11-26 08:16:12 4243968 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-11-26 08:02:16 1995264 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-11-26 07:32:06 1928192 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-11-26 07:07:57 2334208 ----a-w- C:\Windows\System32\wininet.dll
2013-11-26 06:33:33 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-11-12 02:23:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-11-12 02:07:29 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-10-30 02:32:01 335360 ----a-w- C:\Windows\System32\msieftp.dll
2013-10-30 02:19:52 301568 ----a-w- C:\Windows\SysWow64\msieftp.dll
2013-10-30 01:24:31 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-10-19 02:18:57 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-10-19 02:18:57 81408 ----a-w- C:\Windows\System32\imagehlp(329).dll
2013-10-19 01:36:59 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-10-19 01:36:59 159232 ----a-w- C:\Windows\SysWow64\imagehlp(368).dll
2013-10-12 02:32:04 150016 ----a-w- C:\Windows\System32\wshom.ocx
2013-10-12 02:31:04 202752 ----a-w- C:\Windows\System32\scrrun.dll
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT(326).DLL
2013-10-12 02:04:36 121856 ----a-w- C:\Windows\SysWow64\wshom.ocx
2013-10-12 02:03:31 163840 ----a-w- C:\Windows\SysWow64\scrrun.dll
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-12 01:33:39 156160 ----a-w- C:\Windows\System32\cscript.exe
2013-10-12 01:33:26 168960 ----a-w- C:\Windows\System32\wscript.exe
2013-10-12 01:15:48 141824 ----a-w- C:\Windows\SysWow64\wscript.exe
2013-10-12 01:15:48 126976 ----a-w- C:\Windows\SysWow64\cscript.exe
2013-10-05 20:25:35 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-05 20:25:35 1474048 ----a-w- C:\Windows\System32\crypt32(320).dll
2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32(365).dll
2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider(345).dll
2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui.dll
2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui(319).dll
2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui(317).dll
2013-10-04 02:16:30 116736 ----a-w- C:\Windows\System32\drivers\drmk.sys
2013-10-04 01:58:50 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2013-10-04 01:56:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2013-10-04 01:56:00 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-10-04 01:36:04 230400 ----a-w- C:\Windows\System32\drivers\portcls.sys
2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 02:23:48 404480 ----a-w- C:\Windows\System32\gdi32(327).dll
2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-10-03 02:00:44 311808 ----a-w- C:\Windows\SysWow64\gdi32(366).dll
.
============= FINISH:  5:07:52.72 ===============
 
 
 
ATTACH.TXT starts here:
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate 
Boot Device: \Device\HarddiskVolume1
Install Date: 27-Dec-13 2:59:08 AM
System Uptime: 28-Dec-13 3:12:31 AM (2 hours ago)
.
Motherboard: ASUSTeK COMPUTER INC. |  | P8P67-M PRO
Processor: Intel® Core i5-2500K CPU @ 3.30GHz | LGA1155 | 3069/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 77.651 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP15: 27-Dec-13 11:02:29 PM - Windows Update
RP16: 27-Dec-13 11:11:44 PM - Windows Update
RP17: 27-Dec-13 11:34:40 PM - Windows Update
RP18: 27-Dec-13 11:48:24 PM - Herstelbewerking
RP19: 28-Dec-13 2:09:44 AM - Windows Update
RP20: 28-Dec-13 2:34:09 AM - Windows Update
RP21: 28-Dec-13 2:48:20 AM - Installed Sophos Virus Removal Tool.
RP22: 28-Dec-13 2:57:50 AM - Installed ESET Smart Security
.
==== Installed Programs ======================
.
Google Chrome
Google Update Helper
HitmanPro 3.7
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4.5.1
Sophos Virus Removal Tool
.
==== End Of File ===========================
 
 

 

Link to post
Share on other sites

  • Root Admin

Hello and :welcome:
 

Please read the following and post back the logs when ready.

General P2P/Piracy Warning:
 

 
If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on
Piracy
.




Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)




STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.


Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.



STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


STEP 02
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.


 

Link to post
Share on other sites

Hi there and a happy newyear to you! From here on i will be prompt to react on any posts made here.

As foretold in my original post i did a reinstall of my main system, still can't run gmer on it though, gonna flash the bios tomorrow with a clean boot disk and rom file from a safe pc and setup win7 again.

If it's ok with you i would like to focus on my laptop which i suspect to be infected as well.

Problems started with a (non web) pop up notification that the audio driver had to be reinstalled and the system needed to be rebooted for it.

Symptoms are blocked webpages, incomplete webpages with missing graphical upmake, windows defender not running and not starting manually and reverting to manual again after a change to automatic and a restart, process explorer reverting to taskmanager, a totally empty windows event setup log and just random hickups or slow connections / strange busy harddisk.

I pasted new dds output for the system and also an older roguekiller log from 19 december since that date i already ran it and cleanst what it found and the latest scan i just now did shows nothing found at all.

 

 

Rkill 2.6.4 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 01/01/2014 11:00:25 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * taskmgr.exe debugger. [iFEO Debugger Deleted]
 
Backup Registry file created at:
 C:\Users\Blobber\Desktop\rkill\rkill-01-01-2014-11-00-29.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 01/01/2014 11:02:01 PM
Execution time: 0 hours(s), 1 minute(s), and 36 seconds(s)
 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by Blobber at 23:34:56 on 2014-01-01
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.31.1033.18.3000.1395 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\Hpservice.exe
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Windows\system32\AEADISRV.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\NetworkIndicator\NetworkIndicator.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
mWinlogon: Userinit = userinit.exe
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [NetworkIndicator] C:\Program Files (x86)\NetworkIndicator\NetworkIndicator.exe
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
dRunOnce: [sPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\Users\Blobber\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: Interfaces\{2EEFA096-27EB-4C06-8482-FB090D203582} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2EEFA096-27EB-4C06-8482-FB090D203582}\430343D24496B6B656C457C644279656249656270283D3D3E3 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2EEFA096-27EB-4C06-8482-FB090D203582}\4756C65623A25303 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2EEFA096-27EB-4C06-8482-FB090D203582}\4756C65623D244134383 : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [soundMAX] C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe /tray
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\EEK\Run\a2ddax64.sys [2013-12-19 26176]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [2013-12-31 62168]
R2 HitmanProScheduler;HitmanPro Scheduler;C:\Program Files\HitmanPro\hmpsched.exe [2013-12-19 109352]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-5-13 30520]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2013-11-16 227896]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 cleanhlp;cleanhlp;C:\eEEK\Run\cleanhlp64.sys [2013-12-22 57024]
S3 cpudrv64;cpudrv64;C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [2011-6-2 17864]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2013-12-18 111616]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-11-17 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-17 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-11-17 1255736]
.
=============== Created Last 30 ================
.
2014-01-01 22:25:39 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F839E0D1-CFCD-4A10-917C-AF3A6ECBE033}\mpengine.dll
2013-12-31 20:43:55 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-12-31 20:43:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-31 20:43:05 743248 ----a-w- C:\Windows\SysWow64\msvcp100d.dll
2013-12-31 20:43:05 1858896 ----a-w- C:\Windows\System32\msvcr100d.dll
2013-12-31 20:43:05 1498960 ----a-w- C:\Windows\SysWow64\msvcr100d.dll
2013-12-31 20:43:05 1014096 ----a-w- C:\Windows\System32\msvcp100d.dll
2013-12-31 20:43:04 -------- d-----w- C:\Program Files\Malwarebytes Anti-Exploit
2013-12-31 15:09:18 10315576 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-12-22 02:45:09 -------- d-----w- C:\eEEK
2013-12-19 18:23:24 -------- d-----w- C:\Windows\Microsoft Antimalware
2013-12-19 05:59:41 -------- d-----w- C:\EEK
2013-12-19 04:20:50 -------- d-----w- C:\Windows\ERUNT
2013-12-19 04:14:33 -------- d-----w- C:\AdwCleaner
2013-12-19 04:10:59 50768 ----a-w- C:\Windows\System32\drivers\kbdclass.sys.bak
2013-12-19 04:06:31 -------- d-----w- C:\Program Files\HitmanPro
2013-12-19 04:06:22 -------- d-----w- C:\ProgramData\HitmanPro
2013-12-18 11:48:40 167424 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe
2013-12-18 11:48:40 164864 ----a-w- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
2013-12-18 11:48:40 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2013-12-18 11:48:39 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2013-12-12 19:32:51 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-12-06 15:36:11 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-12-06 15:36:08 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{95FDFFAB-BB38-461C-99DD-4EBB48D1BB68}\gapaengine.dll
.
==================== Find3M  ====================
.
2013-11-26 10:19:07 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2013-11-26 10:18:23 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2013-11-26 09:48:07 66048 ----a-w- C:\Windows\System32\iesetup.dll
2013-11-26 09:46:25 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2013-11-26 09:23:02 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-11-26 09:18:39 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-11-26 09:18:09 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2013-11-26 09:16:57 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2013-11-26 08:35:02 5769216 ----a-w- C:\Windows\System32\jscript9.dll
2013-11-26 08:28:16 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2013-11-26 08:16:12 4243968 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-11-26 08:02:16 1995264 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-11-26 07:32:06 1928192 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-11-26 07:07:57 2334208 ----a-w- C:\Windows\System32\wininet.dll
2013-11-26 06:33:33 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-11-23 18:26:20 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-17 04:18:15 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-11-17 02:59:05 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-11-17 01:38:39 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2013-11-17 01:38:38 175616 ----a-w- C:\Windows\System32\msclmd.dll
2013-11-12 02:23:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-11-12 02:07:29 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-10-30 02:32:01 335360 ----a-w- C:\Windows\System32\msieftp.dll
2013-10-30 02:19:52 301568 ----a-w- C:\Windows\SysWow64\msieftp.dll
2013-10-30 01:24:31 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-10-19 02:18:57 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-10-19 01:36:59 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-10-12 02:32:04 150016 ----a-w- C:\Windows\System32\wshom.ocx
2013-10-12 02:31:04 202752 ----a-w- C:\Windows\System32\scrrun.dll
2013-10-12 02:30:42 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2013-10-12 02:29:21 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-12 02:29:08 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-12 02:04:36 121856 ----a-w- C:\Windows\SysWow64\wshom.ocx
2013-10-12 02:03:31 163840 ----a-w- C:\Windows\SysWow64\scrrun.dll
2013-10-12 02:03:08 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2013-10-12 02:01:25 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-12 01:33:39 156160 ----a-w- C:\Windows\System32\cscript.exe
2013-10-12 01:33:26 168960 ----a-w- C:\Windows\System32\wscript.exe
2013-10-12 01:15:48 141824 ----a-w- C:\Windows\SysWow64\wscript.exe
2013-10-12 01:15:48 126976 ----a-w- C:\Windows\SysWow64\cscript.exe
2013-10-05 20:25:35 1474048 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-05 19:57:25 1168384 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-04 02:28:31 190464 ----a-w- C:\Windows\System32\SmartcardCredentialProvider.dll
2013-10-04 02:25:17 197120 ----a-w- C:\Windows\System32\credui.dll
2013-10-04 02:24:49 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-10-04 02:16:30 116736 ----a-w- C:\Windows\System32\drivers\drmk.sys
2013-10-04 01:58:50 152576 ----a-w- C:\Windows\SysWow64\SmartcardCredentialProvider.dll
2013-10-04 01:56:25 168960 ----a-w- C:\Windows\SysWow64\credui.dll
2013-10-04 01:56:00 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-10-04 01:36:04 230400 ----a-w- C:\Windows\System32\drivers\portcls.sys
.
============= FINISH: 23:35:38,19 ===============
 
 
 
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate 
Boot Device: \Device\HarddiskVolume1
Install Date: 16-11-2013 22:18:06
System Uptime: 1-1-2014 20:39:50 (3 hours ago)
.
Motherboard: Hewlett-Packard |  | 30E8
Processor: Intel® Core2 Duo CPU     T5670  @ 1.80GHz | Intel® Genuine processor | 1188/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 98 GiB total, 62,992 GiB free.
D: is FIXED (NTFS) - 51 GiB total, 50,702 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: HP Webcam [VGA]
Device ID: USB\VID_04F2&PID_B083&MI_00\6&21F87E70&1&0000
Manufacturer: Sonix
Name: HP Webcam [VGA]
PNP Device ID: USB\VID_04F2&PID_B083&MI_00\6&21F87E70&1&0000
Service: SNP2UVC
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel® WiFi Link 5100 AGN
Device ID: PCI\VEN_8086&DEV_4237&SUBSYS_12118086&REV_00\00215DFFFFAE3F7600
Manufacturer: Intel Corporation
Name: Intel® WiFi Link 5100 AGN
PNP Device ID: PCI\VEN_8086&DEV_4237&SUBSYS_12118086&REV_00\00215DFFFFAE3F7600
Service: NETwNs64
.
==== System Restore Points ===================
.
RP34: 21-12-2013 23:22:31 - Windows Update
RP36: 24-12-2013 19:28:20 - Removed BlueStacks Notification Center
RP37: 26-12-2013 22:02:51 - Windows Update
RP38: 30-12-2013 15:36:17 - Windows Update
.
==== Installed Programs ======================
.
ERUNT 1.1j
Genymotion version 2.0.1
Google Chrome
Google Update Helper
HitmanPro 3.7
HP Quick Launch Buttons
HP Webcam
Intel® Graphics Media Accelerator Driver
Java 7 Update 45
Java Auto Updater
Malwarebytes Anti-Exploit version 0.09.5.0250
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Network Activity Indicator for Windows 7
OpenGL Extensions Viewer 4.1
Oracle VM VirtualBox 4.2.12
QLBCASL
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
SoundMAX
Synaptics Pointing Device Driver
System Requirements Lab for Intel
TeraCopy 2.27
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Windows 7 Default Setting
WinRAR 4.01 (64-bit)
.
==== Event Viewer Messages From Past Week ========
.
31-12-2013 15:59:34, Error: Microsoft-Windows-Eventlog [23]  - The event logging service encountered an error (res=32) while initializing logging resources for channel Microsoft-Windows-Bits-Client/Operational.
30-12-2013 4:48:25, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
30-12-2013 18:11:58, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
25-12-2013 16:32:07, Error: Tcpip [4199]  - The system detected an address conflict for IP address 192.168.1.11 with the system having network hardware address F4-6D-04-6F-F8-9E. Network operations on this system may be disrupted as a result.
1-1-2014 4:32:14, Error: Microsoft-Windows-WMPNSS-Service [14332]  - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070422'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
1-1-2014 2:28:16, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
1-1-2014 18:03:24, Error: Tcpip [4199]  - The system detected an address conflict for IP address 192.168.1.10 with the system having network hardware address CC-08-E0-84-B9-AF. Network operations on this system may be disrupted as a result.
.
==== End Of File ===========================
 
 
 
RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Blobber [Admin rights]
Mode : Scan -- Date : 01/01/2014 23:05:45
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 0 ¤¤¤
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
RogueKiller V8.7.13 _x64_ [Dec 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Blobber [Admin rights]
Mode : Scan -- Date : 12/19/2013 05:11:47
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 8 ¤¤¤
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS543216L9A300 ATA Device +++++
--- User ---
[MBR] c70592079a48b7c7adc1880bcf07ed92
[bSP] 20830c7800f61d33e39c4c9189df0511 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 99998 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204797952 | Size: 52627 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_12192013_051147.txt >>
 
 
 
 
 
 
Link to post
Share on other sites

  • Root Admin

Okay then for your Laptop
 
Please uninstall ALL versions of Java from the Control Panel, Add/Remove
 
Then run the following
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

 

 

Next, Please go ahead and run through the following steps and post back the logs when ready.

STEP 03
Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

STEP 04
Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus



STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.


Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.


STEP 06
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.



STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


 

Link to post
Share on other sites

JavaRa 1.16 Removal Log.

 

Report follows after line.

 

------------------------------------

 

The JavaRa removal process was started on Wed Jan 01 23:57:07 2014

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.

 

There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.

 

Found and removed: SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

 

Found and removed: SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}

 

Found and removed: SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

 

Found and removed: SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}

 

Found and removed: SOFTWARE\Classes\Interface\{5852F5EC-8BF4-11D4-A245-0080C6F74284}

 

Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/java-deployment-toolkit

 

Found and removed: SOFTWARE\Classes\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}

 

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled

 

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.7.0.0

 

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

 

Found and removed: SOFTWARE\JavaSoft

 

Found and removed: SOFTWARE\JreMetrics

 

Found and removed: SOFTWARE\MozillaPlugins

 

------------------------------------

 

Finished reporting.

 

 

 


Malwarebytes Anti-Rootkit BETA 1.07.0.1008

www.malwarebytes.org

 

Database version: v2014.01.01.05

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 11.0.9600.16476

Blobber :: COUCH-POTATO [administrator]

 

2-1-2014 0:00:58

mbar-log-2014-01-02 (00-00-58).txt

 

Scan type: Quick scan

Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: 

Objects scanned: 216937

Time elapsed: 17 minute(s), 19 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

Physical Sectors Detected: 0

(No malicious items detected)

 

(end)

 

 

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.0.9 (01.01.2014:1)

OS: Windows 7 Ultimate x64

Ran by Blobber on do 02-01-2014 at  0:19:20,84

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on do 02-01-2014 at  0:26:19,55

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

now running adwcleaner, more to come

Link to post
Share on other sites

adw cleaner finished quite fast while the system is not that fast...

 

# AdwCleaner v3.016 - Report created 02/01/2014 at 00:31:55
# Updated 23/12/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Blobber - COUCH-POTATO
# Running from : C:\Users\Blobber\Desktop\AdwCleaner (1).exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16428
 
 
-\\ Google Chrome v31.0.1650.63
 
[ File : C:\Users\Blobber\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [768 octets] - [19/12/2013 05:14:36]
AdwCleaner[R1].txt - [691 octets] - [02/01/2014 00:31:55]
AdwCleaner[s0].txt - [828 octets] - [19/12/2013 05:16:48]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [809 octets] ##########
Link to post
Share on other sites

After a reboot required by adwcleaner i got the following popup from ERUNT which i ran the session before:

 

"Unable to create file: C:\Windows\ERDNT\Autobackup\2-1-2014\ERDNT.INF

 

Registry backup will continue, but no restore information for the ERDNT program will be saved, This means that later restoration of the registry can only be done manually, by using another OS to copy back the files."

 

 

 

Now continuing with mbam scan.

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2014.01.01.06

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 11.0.9600.16476

Blobber :: COUCH-POTATO [administrator]

 

2-1-2014 0:49:12

mbam-log-2014-01-02 (00-49-12).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 204240

Time elapsed: 3 minute(s), 27 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)
Link to post
Share on other sites

Ok will do, allthough i ran it as admin the session before.

While running the eset scan i got a little bored and tried to see if windows defender still would not run and started it manually (which i was not able to so before) and now it will start...(?) Stopped the service again for now.

Afraid the system is not that fast, more to come.

Link to post
Share on other sites

Maybe you got additional tips for doing that properly?

I just now started with detaching the hdd, depowering the system, clear bios, unplug the power plug from mainboard, wait a minute, plug it back in and powering up the system.

Now will boot from cd made at a clean pc with dos prompt and flash utility and after that will load system defaults.

Then i will connect hdd again and boot from a pc tool cd and write zeros to the hdd.

Then will do a genuine MS dvd windows 7 setup, and i have clean cd with offline win7 sp1, eset nod32 and mbam to install, before i will plug in the lan cable to run further updates.

Link to post
Share on other sites

  • Root Admin

I don't wish to discuss another computer in this same topic as sooner or later either you or me will be confused as to which computer.

I will say you don't need to write zeros to the drive.  Simply delete ALL partitions from it and then install Windows then reboot and run a CHKDSK C: /F against the drive.  Then check the Event Logs and see what it finds.   We'll continue on the other system late if you want, not here.  Thanks

 

 

For the current laptop please run the following.

 

Please download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites

Ok did so, here the output.

Btw i started windows defender service again some 15 mins ago and set it to automatic and now i got back at the laptop it is stopped again and put on manual.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-01-2014 01
Ran by Blobber at 2014-01-02 03:12:10 Run:1
Running from C:\Users\Blobber\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client
Task: {223FC82C-1C48-4A2D-9004-4FAA338A2D59} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-11-17] (Google Inc.)
Task: {58285ABD-E5FE-4BF8-84B3-BE4CFE7AEE47} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-11-17] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe <==== ATTENTION
 
*****************
 
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{223FC82C-1C48-4A2D-9004-4FAA338A2D59} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{223FC82C-1C48-4A2D-9004-4FAA338A2D59} => Key deleted successfully.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{58285ABD-E5FE-4BF8-84B3-BE4CFE7AEE47} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58285ABD-E5FE-4BF8-84B3-BE4CFE7AEE47} => Key deleted successfully.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore => Key deleted successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.
 
 
The system needs a manual reboot. 
 
==== End of Fixlog ====
 
 
 
Rebooting.
Link to post
Share on other sites

  • Root Admin

When you get back please run the following and post back the log.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites

  • Root Admin

No problem.

 

How is the computer running now?

Are there still any signs of an infection?

 

Please download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!


 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.