Malware keeps returning

AnotherEssexGuy · September 15, 2014

So i've stupidly gone and opened a suspicious file sent to me which was cleared by my virus checker, but it turned out to be a trojan horse of some sort as almost as soon as i tried to open it a chat window opened and a hacker started abusing me saying he'll do this n that to my comp, so i disconnected and rebooted in safe mode later on, installed and run malwarebytes which picked up three infected objects:

A Stolen.Data folder was found in c:\users\david\appdata\roaming\dclogs

A Stolen.Date file was found in the above folder, with todays date

A Malware.Trace registry key was also found

I quarantined and deleted the affected items, but upon restarting the computer, i scanned again with Malwarebytes, and the Malware.Trace registry key infection had returned. I tried a couple of different options (including disabling system restore) to no avail, and have since noticed at the time of writing after doing another Malwarebytes scan, that the Stolen.Data items had also returned.

I have included the requested logs, and i still have the suspect file on my comp if that is any help to you (or should i delete it?)

Thanks for reading hope you can help...

FRST.txt

Addition.txt

Psychotic · September 16, 2014

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Show All ( should be unchecked by default )
[*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

AnotherEssexGuy · September 16, 2014

GMER 2.1.19357 - http://www.gmer.netRootkit scan 2014-09-16 18:20:58Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000037 ST1000LM024_HN-M101MBB rev.2BA30001 931.51GBRunning: 6glpzhcm.exe; Driver: C:\Users\David\AppData\Local\Temp\pxdyapod.sys---- User code sections - GMER 2.1 ----.text    C:\Windows\system32\nvvsvc.exe[508] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                                                            00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Windows\system32\nvvsvc.exe[508] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                                                            00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Windows\system32\nvvsvc.exe[508] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                                                               00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Windows\system32\nvvsvc.exe[508] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                                                               00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe[532] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                                 00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe[532] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                                 00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe[532] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                                    00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe[532] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                                    00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe[356] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                                  00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe[356] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                                  00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe[356] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                                     00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe[356] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                                     00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Windows\System32\WUDFHost.exe[1480] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                                                         00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Windows\System32\WUDFHost.exe[1480] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                                                         00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Windows\System32\WUDFHost.exe[1480] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                                                            00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Windows\System32\WUDFHost.exe[1480] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                                                            00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe[2232] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                     00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe[2232] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                     00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe[2232] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                        00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe[2232] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                        00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Windows\system32\mfevtps.exe[2332] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506                                                                                                          00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Windows\system32\mfevtps.exe[2332] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514                                                                                                          00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Windows\system32\mfevtps.exe[2332] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118                                                                                                             00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Windows\system32\mfevtps.exe[2332] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142                                                                                                             00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Windows\Explorer.EXE[3112] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506                                                                                                                  00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Windows\Explorer.EXE[3112] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514                                                                                                                  00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Windows\Explorer.EXE[3112] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118                                                                                                                     00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Windows\Explorer.EXE[3112] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142                                                                                                                     00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe[3592] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                                   00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe[3592] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                                   00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe[3592] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                                      00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe[3592] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                                      00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe[3840] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                              00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe[3840] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                              00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe[3840] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                                 00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe[3840] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                                 00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe[4992] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                        00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe[4992] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                        00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe[4992] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                           00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe[4992] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                           00007ffb69701832 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[5392] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506                                                                                 00007ffb6970169a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[5392] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514                                                                                 00007ffb697016a2 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[5392] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118                                                                                    00007ffb6970181a 4 bytes [70, 69, FB, 7F].text    C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[5392] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142                                                                                    00007ffb69701832 4 bytes [70, 69, FB, 7F]---- Threads - GMER 2.1 ----Thread   C:\Windows\system32\csrss.exe [712:736]                                                                                                                                                               fffff96000912b90Thread   C:\Windows\Explorer.EXE [3112:6048]                                                                                                                                                                   00007ffb4fd9d73c---- Processes - GMER 2.1 ----Process  C:\Users\David\AppData\Roaming\skypeupdate\update.exe (*** suspicious ***) @ C:\Users\David\AppData\Roaming\skypeupdate\update.exe [5244] (AS SSD Benchmark/Alex Schepeljanski)(2014-09-15 10:28:52)  0000000000400000---- Disk sectors - GMER 2.1 ----Disk     \Device\Harddisk0\DR0                                                                                                                                                                                 unknown MBR code---- EOF - GMER 2.1 ----

I had a couple of error messages when running GMER, C:\windows\system32\config\system - the process cannot access the file because it is being used by another process. I got the same message for c:\users\david\ntuser.dat. Thought i should let u know.

The skypeupdate process marked suspicious was created around the time the inital attack took place so this is obviously very suspicous.

I have also found, in the startup section of task manager, a suspicious file created exactly the same time as the skypeudate\update file. It has not shown up in any scans but i believe it may be part of the problem.

This file is located at c:\users\david\appdata\roaming\microsoft\windows\start menu\programs\start-up\update.vbs

Also i wanted to mention the regkey, it is reappearing as HKCU\software\dc3_fexec. This has been mentioned before but i still havent solved the problem. hope you can help.

Psychotic · September 17, 2014

Scan file(s) via VirusTotal

Please check the file in the code box via Virustotal

Click browse

copy the following into the search box

C:\Users\David\AppData\Roaming\skypeupdate\update.exe

and click open.
click Send File.

please be patinet until the file is uploade completely. If you get the message

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

click on Reanalyse. Wait until Current status: Finished appears. Now, copy the link from within your browser´s adress bar and poste it here.

AnotherEssexGuy · September 17, 2014

https://www.virustotal.com/en/file/de50cdebda5ca3f8dd97d3db77db8c8a7439325401406ea02e1e71e1f39c34ae/analysis/1410972185/

Psychotic · September 18, 2014

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Download the attached fixlist.txt and save it to the location where FRST is saved to.
Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Full System Scan with Malwarebytes Antimalware

If not existing, please download Malwarebytes Anti-Malware to your desktop.
Double-click the downloaded setup file and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Launch Malwarebytes Anti-Malware
- A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish.

If the program is already installed:

Run Malwarebytes Antimalware
On the Dashboard, click the 'Update Now >>' link
After the update completes, click the 'Scan Now >>' button.
Or, on the Dashboard, click the Scan Now >> button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

fixlist.txt

AnotherEssexGuy · September 18, 2014

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-09-2014Ran by David at 2014-09-18 13:25:53 Run:1Running from C:\Users\David\DesktopBoot Mode: Normal==============================================Content of fixlist:*****************Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs ()2014-08-31 14:14 - 2014-08-31 14:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Search ProtectionC:\Users\David\AppData\Roaming\skypeupdateEmptytemp:*****************C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs => Moved successfully.C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Search Protection => Moved successfully."C:\Users\David\AppData\Roaming\skypeupdate" directory move:C:\Users\David\AppData\Roaming\skypeupdate\update.bat => Moved successfully.C:\Users\David\AppData\Roaming\skypeupdate\update.exe => Moved successfully.Could not move "C:\Users\David\AppData\Roaming\skypeupdate" directory. => Scheduled to move on reboot.EmptyTemp: => Removed 172.2 MB temporary data.=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-09-18 13:27:42)<=C:\Users\David\AppData\Roaming\skypeupdate => Is moved successfully.==== End of Fixlog ====

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 18/09/2014Scan Time: 13:32:14Logfile: Administrator: YesVersion: 2.00.2.1012Malware Database: v2014.09.18.03Rootkit Database: v2014.09.15.01License: TrialMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: DavidScan Type: Threat ScanResult: CompletedObjects Scanned: 341260Time Elapsed: 7 min, 27 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 1Malware.Trace, HKU\S-1-5-21-3022417494-29530920-1121726853-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\DC3_FEXEC, Quarantined, [4aa802eb017a67cfb3c73f9afa093cc4], Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 1Stolen.Data, C:\Users\David\AppData\Roaming\dclogs, Quarantined, [14de717cd7a4072f20130800f50faa56], Files: 1Stolen.Data, C:\Users\David\AppData\Roaming\dclogs\2014-09-16-3.dc, Quarantined, [14de717cd7a4072f20130800f50faa56], Physical Sectors: 0(No malicious items detected)(end)

MBAM found the same three results but upon restart, they appear to be gone

I was changing passwords from another machine and noticed in my microsoft account recent activity a large number of security challenges dating BACK from when the initial trojan attack took place. I have changed all passwords but obviously this is a concern.

This is a fairly new pc so i was considering resetting the OS if you think this is necessary, or am i now clean?

Psychotic · September 18, 2014

Let´s see:

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
- Scan archives
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
[*]Click Start[*]Wait for the scan to finish[*]When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."[*] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[*]Close the ESET online scan, and let me know how things are now.

AnotherEssexGuy · September 18, 2014

C:\FRST\Quarantine\C\Users\David\AppData\Roaming\skypeupdate\update.exe.xBAD a variant of Win32/Kryptik.CLDP trojan

AnotherEssexGuy · September 18, 2014

I wasn't sure whether to run in safe or normal mode, i nervously scanned in normal mode and only the above was found.

However i was looking through task manager again while ESET was running and noticed in the details section, i had 2 identical copies of csrss.exe running and 2 copies of nvvsvc.exe. They all showed under username SYSTEM, and the twin copies show exact same properties but appear to be running slightly differently.

I also had several identical svchost.exe files running.

Is all this normal?

Psychotic · September 19, 2014

No worries, the processes you´re describing are belonging to windows and are essential.

svchost can be started multiple times as it provides services ran by dll files.

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner

Please download AdwCleaner to your desktop.

Run adwcleaner.exe
Hit Scan and wait for the scan to finish.
Confirm the message but don´t uncheck anything.
Hit Clean
When the run is finished, it will open up a text file
Please post its contents within your next reply
You´ll find the log file at C:\AdwCleaner[s1].txt also

Delete junk with JRT

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

Save it to your desktop, start it and follow the instructions in the window.
After the scan finished the (checkup.txt) will open. Copy its content to your thread.

AnotherEssexGuy · September 19, 2014

# AdwCleaner v3.310 - Report created 19/09/2014 at 13:22:24# Updated 12/09/2014 by Xplode# Operating System : Windows 8.1  (64 bits)# Username : David - DAVIDSHP# Running from : C:\Users\David\Downloads\adwcleaner_3.310.exe# Option : Clean***** [ Services ] ********** [ Files / Folders ] *****Folder Deleted : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\9szceily.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}File Deleted : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\9szceily.default\user.js***** [ Scheduled Tasks ] ********** [ Shortcuts ] ********** [ Registry ] *****Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]***** [ Browsers ] *****-\\ Internet Explorer v11.0.9600.17278-\\ Mozilla Firefox v32.0.1 (x86 en-US)[ File : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\9szceily.default\prefs.js ]-\\ Google Chrome v*************************AdwCleaner[R0].txt - [2445 octets] - [19/09/2014 13:20:32]AdwCleaner[S0].txt - [2234 octets] - [19/09/2014 13:22:24]########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2294 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 6.1.7 (09.18.2014:2)OS: Windows 8.1 x64Ran by David on 19/09/2014 at 13:29:55.25~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry Values~~~ Registry KeysSuccessfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistpluginSuccessfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8C68E5CB-D30E-4BA5-9A89-2268537D9699}Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{8C68E5CB-D30E-4BA5-9A89-2268537D9699}~~~ Files~~~ Folders~~~ FireFoxEmptied folder: C:\Users\David\AppData\Roaming\mozilla\firefox\profiles\9szceily.default\minidumps [2 files]~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on 19/09/2014 at 13:35:23.35End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Results of screen317's Security Check version 0.99.87     x64 (UAC is enabled)   Internet Explorer 11  [b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]  Windows Firewall Enabled!  McAfee Anti-Virus and Anti-Spyware   Windows Defender                      [size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size] [b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]  Adobe Flash Player 	15.0.0.152   Mozilla Firefox (32.0.1) [b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]   Malwarebytes Anti-Malware mbamservice.exe   Malwarebytes Anti-Malware mbam.exe   Malwarebytes Anti-Malware mbamscheduler.exe   [b][u]`````````````````System Health check`````````````````[/b][/u]  Total Fragmentation on Drive C:  % [b][u]````````````````````End of Log``````````````````````[/b][/u]

GMER 2.1.19357 - http://www.gmer.netRootkit scan 2014-09-19 14:07:50Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000037 ST1000LM024_HN-M101MBB rev.2BA30001 931.51GBRunning: 6glpzhcm.exe; Driver: C:\Users\David\AppData\Local\Temp\pxdyapod.sys---- Disk sectors - GMER 2.1 ----Disk    \Device\Harddisk0\DR0                                unknown MBR code---- Threads - GMER 2.1 ----Thread  C:\Windows\system32\csrss.exe [728:752]              fffff960009c0b90Thread  C:\Windows\System32\SettingSyncHost.exe [3684:1692]  00007ff865696da0Thread  C:\Windows\System32\SettingSyncHost.exe [3684:4636]  00007ff87036035c---- EOF - GMER 2.1 ----

I also re-ran GMER which came up with the same system32 error message (post 3) and mentions the csrss.exe file and other unknown MBR code. I posted that log too.

I have attatched a pic of task manager which still shows 2 csrss.exe running at once. The PID and memory usuage are different but when i click properties they are both the same. Same applies no nvvsvc.exe.

Also when i first open task manager there are 2 extra COM surrogate processes running which always disappear from view after a couple of seconds.

Sorry if i'm being paranoid but im still a little worried!

Psychotic · September 19, 2014

Normally, I don´t do detailed explanations, but here we go

Your hard drive is not initialized as an MBR but as an GPT drive, so no MBR code is written do the disk.

GMER cannot find the MBR, so it displays an error (see the empty MBR section of FRST below).

==================== MBR & Partition Table ==========================================================================Disk: 0 (Size: 931.5 GB) (Disk ID: 1E1F4777)Partition: GPT Partition Type.==================== End Of Log ============================

In addition, GMER is an expert tool for detecting not only rootkit/malicious activities, but also any hidden process.

This means, that it may list some entries that aren´t malicious.

In your case, it correctly listed normal system processes acting deeply within windows.

csrss.exe is, as you can see here, a legit part of windows.

dllhost.exe is a process to protect windows from crashing when a running program crashes:

The COM Surrogate is a fancy name for Sacrificial process for a COM object that is run outside of the process that requested it. Explorer uses the COM Surrogate when extracting thumbnails, for example. If you go to a folder with thumbnails enabled, Explorer will fire off a COM Surrogate and use it to compute the thumbnails for the documents in the folder. It does this because Explorer has learned not to trust thumbnail extractors; they have a poor track record for stability. Explorer has decided to absorb the performance penalty in exchange for the improved reliability resulting in moving these dodgy bits of code out of the main Explorer process. When the thumbnail extractor crashes, the crash destroys the COM Surrogate process instead of Explorer.

nvvsvc.exe is part of the NVIDIA device drivers installed.

Are you still worried now?

AnotherEssexGuy · September 19, 2014

Ok thanks for the explanation

My only concern is why does csrss.exe (and nvvsvc.exe) always appear to be running TWICE in task manager, as if there is a dulpicate?

I read somewhere this is a possible sign of infection if you are the only user, which i am.

But if you are confident my computer is safe i'll take your word for it

Psychotic · September 22, 2014

The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. As such Csrss.exe provides the critical functions of the operating system, and its termination can result in the Blue Screen of Death being displayed Csrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. (Source: MS)

Similar for other system-critical files.

AnotherEssexGuy · September 22, 2014

Ok great, well all seems ok, i'll let u go then if we're done?

Much appreciate your help

Psychotic · September 22, 2014

Your system is clean now!

Uninstall our tools using delfix

Please follow these steps in order:

In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
In any case please download delfix to your desktop.
- Close all other programms and start delfix.
- Please check all the boxes and run the tool.
- delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

Delete System Restore Points

To ensure your System Restore Points are free of malware, we will delete all of them but the most recent or create a new one.

On Windows Vista: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows 7/8: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows XP: Please follow these instructions to delete all but the most common System Protection Restore Points.

Temp File Cleaner

We need to download Temp File Cleaner (TFC) by OldTimer:

Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
Save and close all running applications
Double-click on TFC.exe to run the program
Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
When the scan is complete, if you were not asked to reboot the computer, please do so now

More Information can be found about the tool here: http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

Recommendations: How to protect yourself

System Updates
Please ensure to have automatic updates activated in your control panel.
For further information and a tutorial, see this Microsoft Support article.
Protection
What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
- To keep your browser free of advertising, you may install the Adblock Plus browser extension.
  It will filter unwanted advertising out of the website´s content.
- To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
  It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
  In addition, before accessing a dangerous classified web site, a warning screen is displayed.
[*]Up to date Software
Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:
- Secunia Personal Software Inspector - checks if your software has updates available.
- SecurityCheck (by screen317) - scans your computer for most vulnerable outdated software.
- Mozilla: Check your plugins - The webpage will tell you if you have outdated plugins running in your Firefox browser.
[*]Backup
Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system. [*]Behaviour
The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
- While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
- Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
- When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
- Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

AdvancedSetup · September 26, 2014

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Malware keeps returning

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information