Jump to content

Trojan PeeacMem-A Help


Kyle129

Recommended Posts

Hello..

 

My computer is infected with the Trojan PeeacMem-A malware and I can't seem to get rid of it.

 

It causes the computer to run at 100% CPU usage with many dllhost.exe COM surrogates shown in the process tab of task manager.

 

I followed the instructions and ran FRST as an administrator.

 

The two logs are attached.

 

Thanks in advance for any help.

 

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello Kyle129, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. xsmile.png.pagespeed.ic.CwSpBGGvqN.png
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.
  • Please backup important documents before proceeding with my instructions.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
     

======================================================
 
Please consider the following warning, and let me know how you wish to proceed. 
 

xgoGMWSt.gif.pagespeed.ic.T3xMEQZT0d.pngBACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

Please disconnect your computer from the internet immediately. If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc). Consider these accounts already compromised.

If you have used a router, you will need to reset it with a strong logon/password to ensure the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat the hard drive and reinstall the Operating System. Please read the following articles for more information.

Please let me know how you wish to proceed, and if you have any questions.

 

Link to post
Share on other sites

Hello Kyle, 

 

Please work your way through the following, and post the logs generated. 

 

STEP 1
9SN2ePL.png ComboFix

  • Note: Please read through these instructions before running ComboFix. 
  • Please download ComboFix and save the file to your Desktop. << Important!
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click ComboFix.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
     
  • Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
  • Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
  • Re-enable your anti-virus software.
     

Important Notes:

  • Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
  • Do NOT use your computer whilst ComboFix is running.
  • Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
     
  • If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
  • ComboFix will disconnect your machine from the Internet as soon as it starts.
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If you are unable to access the Internet after running ComboFix, please reboot your computer. 
     

STEP 2
YARWD1t.pngTDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to:
    • Loaded Modules
    • Detect TDLFS file system
  • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Copy the contents of the log and paste in your next reply.
     

======================================================

STEP 3
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • ComboFix.txt
  • TDSSKiller log
Link to post
Share on other sites

ComboFix 14-09-18.01 - sslovensky 09/21/2014 23:38:36.1.2 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3548.2261 [GMT -4:00]

Running from: i:\092114\ComboFix.exe

AV: Norton AntiVirus *Disabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}

SP: Norton AntiVirus *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\windows\system32\00000153.tmp

c:\windows\system32\00000242.tmp

c:\windows\system32\00000292.tmp

c:\windows\system32\00000491.tmp

c:\windows\system32\00001621.tmp

c:\windows\system32\00001869.tmp

c:\windows\system32\00002680.tmp

c:\windows\system32\00002942.tmp

c:\windows\system32\00002995.tmp

c:\windows\system32\00003885.tmp

c:\windows\system32\00003902.tmp

c:\windows\system32\00004057.tmp

c:\windows\system32\00004827.tmp

c:\windows\system32\00005015.tmp

c:\windows\system32\00005436.tmp

c:\windows\system32\00005447.tmp

c:\windows\system32\00006861.tmp

c:\windows\system32\00008013.tmp

c:\windows\system32\00009525.tmp

c:\windows\system32\00009591.tmp

c:\windows\system32\00009638.tmp

c:\windows\system32\00009894.tmp

c:\windows\system32\00009961.tmp

c:\windows\system32\00011161.tmp

c:\windows\system32\00011538.tmp

c:\windows\system32\00011942.tmp

c:\windows\system32\00012382.tmp

c:\windows\system32\00012574.tmp

c:\windows\system32\00013323.tmp

c:\windows\system32\00014604.tmp

c:\windows\system32\00014771.tmp

c:\windows\system32\00016326.tmp

c:\windows\system32\00016772.tmp

c:\windows\system32\00016827.tmp

c:\windows\system32\00017035.tmp

c:\windows\system32\00017421.tmp

c:\windows\system32\00017752.tmp

c:\windows\system32\00018716.tmp

c:\windows\system32\00018935.tmp

c:\windows\system32\00019718.tmp

c:\windows\system32\00019895.tmp

c:\windows\system32\00019912.tmp

c:\windows\system32\00021726.tmp

c:\windows\system32\00022767.tmp

c:\windows\system32\00022946.tmp

c:\windows\system32\00023268.tmp

c:\windows\system32\00023281.tmp

c:\windows\system32\00023811.tmp

c:\windows\system32\00025667.tmp

c:\windows\system32\00026299.tmp

c:\windows\system32\00026362.tmp

c:\windows\system32\00027954.tmp

c:\windows\system32\00028145.tmp

c:\windows\system32\00028703.tmp

c:\windows\system32\00028983.tmp

c:\windows\system32\00029803.tmp

c:\windows\system32\00030154.tmp

c:\windows\system32\00030287.tmp

c:\windows\system32\00030471.tmp

c:\windows\system32\00030650.tmp

c:\windows\system32\00032391.tmp

c:\windows\system32\00032398.tmp

c:\windows\system32\test

.

.

((((((((((((((((((((((((( Files Created from 2014-08-22 to 2014-09-22 )))))))))))))))))))))))))))))))

.

.

2014-09-22 03:48 . 2014-09-22 03:48 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-09-22 03:46 . 2014-09-22 03:48 -------- d-----w- c:\users\sslovensky\AppData\Local\temp

2014-09-22 03:46 . 2014-09-22 03:46 -------- d-----w- c:\users\vickie\AppData\Local\temp

2014-09-22 03:46 . 2014-09-22 03:46 -------- d-----w- c:\users\copieradmin\AppData\Local\temp

2014-09-22 03:46 . 2014-09-22 03:46 -------- d-----w- c:\users\celia\AppData\Local\temp

2014-09-21 22:54 . 2014-09-21 22:55 -------- d-----w- c:\users\renee\AppData\Local\VirtualStore

2014-09-21 21:30 . 2014-09-21 21:31 -------- d-----w- c:\programdata\Sophos

2014-09-21 21:29 . 2014-09-21 21:29 73728 ----a-r- c:\users\sslovensky\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2014-09-21 21:29 . 2014-09-21 21:29 73728 ----a-r- c:\users\sslovensky\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2014-09-21 21:29 . 2014-09-21 21:29 73728 ----a-r- c:\users\sslovensky\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe

2014-09-21 21:29 . 2014-09-21 21:29 -------- d-----w- c:\program files\Sophos

2014-09-21 21:28 . 2014-09-21 22:48 -------- d-----w- C:\092114

2014-09-19 02:07 . 2014-09-19 02:09 -------- d-----w- C:\NBRT

2014-09-19 00:26 . 2014-09-22 02:45 -------- d-----w- C:\FRST

2014-09-19 00:13 . 2010-08-30 12:34 536576 ----a-w- c:\windows\system32\sqlite3.dll

2014-09-19 00:12 . 2014-09-19 00:22 -------- d-----w- C:\AdwCleaner

2014-09-17 22:33 . 2012-07-26 05:32 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2014-09-17 22:33 . 2012-07-26 05:32 106928 ----a-w- c:\windows\system32\GEARAspi.dll

2014-09-17 22:33 . 2014-09-17 22:33 -------- d-----w- c:\windows\system32\drivers\NBRTWizard

2014-09-17 22:33 . 2014-09-17 22:33 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard

2014-09-17 21:34 . 2014-09-17 21:41 -------- d-----w- C:\NPE

2014-09-17 21:32 . 2014-09-17 21:32 -------- d-----w- c:\program files\Microsoft Mouse and Keyboard Center

2014-09-17 21:30 . 2014-09-17 22:19 -------- d-----w- c:\users\sslovensky\AppData\Local\NPE

2014-09-04 01:04 . 2014-09-04 01:04 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

2014-09-04 01:04 . 2014-05-12 11:26 51928 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-09-04 01:04 . 2014-05-12 11:25 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-09-04 01:04 . 2014-09-19 00:40 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-09-22 02:43 . 2011-08-01 03:15 0 ----a-w- c:\users\renee\AppData\Local\WavXMapDrive.bat

2014-09-22 02:42 . 2011-02-13 14:43 0 ----a-w- c:\users\sslovensky\AppData\Local\WavXMapDrive.bat

2014-09-04 00:22 . 2010-06-24 17:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2014-08-11 15:43 . 2014-08-11 15:43 0 ----a-w- c:\users\renee\AppData\Roaming\mqeowjg.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"

[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]

2010-03-29 18:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"

[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]

2010-03-29 18:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IBWin Background process"="c:\ibackup for windows\IBackground_955.exe" [2011-01-12 38376]

"IBWin Monitor"="c:\ibackup for windows\IBMonitor.exe" [2011-01-12 1861096]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1314816]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 170520]

"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-07-21 147840]

"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232]

"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]

"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-09-04 240112]

"Desktop Disc Tool"="c:\program files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-09-03 518640]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"IBWin Background process"="c:\ibackup for windows\IBackground_955.exe" [2011-01-12 38376]

"IBWin Monitor"="c:\ibackup for windows\IBMonitor.exe" [2011-01-12 1861096]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2014-02-27 3775800]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]

Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2014-6-5 6306104]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2014-6-5 1129288]

QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2014\QBW32.EXE -silent [2014-6-5 1215816]

TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

.

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-09-04 219632]

R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2014-03-19 65232]

R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-09-04 1116656]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-13 1343400]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1505000.013\SYMDS.SYS [2013-10-30 367704]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1505000.013\SYMEFA.SYS [2014-03-04 936152]

S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.2.0.38\Definitions\BASHDefs\20140912.003\BHDrvx86.sys [2014-09-12 1137368]

S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1505000.013\ccSetx86.sys [2014-02-25 127064]

S1 IDSVix86;IDSVix86;c:\program files\Norton AntiVirus\NortonData\21.2.0.38\Definitions\IPSDefs\20140919.001\IDSvix86.sys [2014-08-29 476888]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1505000.013\Ironx86.SYS [2013-10-30 206936]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAV\1505000.013\SYMNETS.SYS [2014-02-18 447704]

S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]

S2 IBAdminProcess;IBAdminProcess;c:\ibackup for windows\IBAdminProcess.exe [2011-01-12 124392]

S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.5.0.19\NAV.exe [2014-07-31 262968]

S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2013-12-02 1248256]

S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-06 224424]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-09-09 111408]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-09-11 05:46 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.120\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-09-22 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-24 18:49]

.

2014-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-27 13:24]

.

2014-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-27 13:24]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NAV]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.5.0.19\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.5.0.19\diMaster.dll\" /prefetch:1"

"ImagePath"="\SystemRoot\System32\Drivers\NAV\1505000.013\SYMNETS.SYS"

"TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.5.0.19"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]

@Allowed: (B 1 4 5 6) (S-1-5-5-0-144420)

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(552)

c:\windows\system32\wvauth.DLL

.

Completion time: 2014-09-21 23:50:25

ComboFix-quarantined-files.txt 2014-09-22 03:50

.

Pre-Run: 242,117,423,104 bytes free

Post-Run: 242,974,023,680 bytes free

.

- - End Of File - - F568425CB0283FCF77BF5D66EE4B28C9

CDB4DE4BBD714F152979DA2DCBEF57EB

Link to post
Share on other sites

Hi Adam.   The ComboFix log is in the last reply.

 

The TDSSKiller.log is attached.  When I tried to post after pasting it said that it was too long.

 

I did step 1 and 2 with the computer disconnected.

 

After reboot, connected and still have the same 100% CPU usage and all the other COMs....

 

Thanks again for your help.

 

-Kyle

TDSSKiller.3.0.0.40_21.09.2014_23.55.02_log.txt

Link to post
Share on other sites

Hi Kyle, 
 

After reboot, connected and still have the same 100% CPU usage and all the other COMs....

Thank you for letting me know. 
This is because ComboFix failed to detect the main infection present on your machine (Poweliks). 

Please work your way through the following.
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • (!) Move FRST.exe to your Desktop.
  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKU\S-1-5-21-1218796917-176530085-1381546619-1139\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!CustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?Task: {13E8620E-2576-4E96-B741-DA1C7C1AD2A1} - System32\Tasks\kymgkzv => C:\Users\renee\AppData\Local\Temp\qecwo.exe <==== ATTENTIONC:\Users\renee\AppData\Local\Temp\qecwo.exec:\users\renee\AppData\Roaming\mqeowjg.dllEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
9SN2ePL.png ComboFix Script

  • Note: Please read through these instructions before running ComboFix.
  • Close any open programmes and windows.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    RegNull::[HKEY_USERS\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]
  • Click FileSave As and type CFScript.txt as the File Name.
  • Important: The file must be saved to your Desktop.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Referring to the animation below, drag CFScript.txt into ComboFix.exe

    tsQUEOR.gif
     
  • Allow ComboFix to complete it's removal routine (please refer to Important Notes:)
  • Once finished, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
  • Re-enable your anti-virus software.
     

Important Notes:

  • Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
  • Do NOT use your computer whilst ComboFix is running. 
  • Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal
     
  • If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
  • ComboFix will disconnect your machine from the Internet as soon as it starts.
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If you are unable to access the Internet after running ComboFix, please reboot your computer.
     

STEP 3
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • ComboFix.txt
  • FRST.txt
  • Addition.txt
Link to post
Share on other sites

Hi Kyle, 

 

Good job. Those logs are looking much better. 

Please provide an update on your computer after carrying out the steps below. Are there any outstanding issues?

 

Confirm the following folders are related to Sophos:

  • C:\092114
  • C:\Users\renee\Desktop\092114

 

STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startHKU\S-1-5-21-1218796917-176530085-1381546619-1139\...\MountPoints2: {2d0bfc02-2a70-11e2-b816-f04da22bcc6a} - I:\TL-Bootstrap.exeHKU\S-1-5-21-1218796917-176530085-1381546619-1139\...\MountPoints2: {49c6e9ea-0410-11e3-998c-f04da22bcc6a} - I:\TL-BootStrap.exeHKU\S-1-5-21-1218796917-176530085-1381546619-1139\...\MountPoints2: {8ca5c454-cd8d-11e3-b69a-f04da22bcc6a} - I:\TL-Bootstrap.exeHKU\S-1-5-21-1218796917-176530085-1381546619-1139\...\MountPoints2: {b1d6b8a7-4476-11e2-9f1c-f04da22bcc6a} - I:\TL-Bootstrap.exeSearchScopes: HKCU - DefaultScope {2E8CA3E2-AF61-4117-A040-0D7DD9DE1B09} URL = SearchScopes: HKCU - {2E8CA3E2-AF61-4117-A040-0D7DD9DE1B09} URL = Toolbar: HKCU - No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No FileHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\29618320.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\29618320.sys => ""="Driver"CustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{1704815D-0A03-44ff-8646-1AE1FE84E313}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{3E1A2BBD-5707-4646-B268-518B997DC94D}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2008\QBW32.EXE No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1110_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{0B4AA204-AB61-47E3-B5B4-27DCF375EBAC}\localserver32 -> "CDStart.exe" No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{1704815D-0A03-44ff-8646-1AE1FE84E313}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{3E1A2BBD-5707-4646-B268-518B997DC94D}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2008\qbw32.exe No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No FileCustomCLSID: HKU\S-1-5-21-1218796917-176530085-1381546619-1139_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No FileFolder: C:\Users\renee\AppData\Local\{699CA8F4-0516-4C80-BB0C-A77D2DF78ABA}Folder: C:\Users\renee\AppData\Local\{2DE92E2D-9119-484F-8BC0-705C2DA0739A}Folder: C:\Users\renee\AppData\Local\{3334B4BB-F47D-474E-A3BA-A5DC3A4427CC}Folder: C:\Users\renee\AppData\Local\{5DD74C0F-4888-4B66-8571-43BE85797531}CMD: ipconfig /flushdns CMD: netsh winsock reset all CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset CMD: bitsadmin /reset /allusers EmptyTemp: end
  • Click File, Save As and type fixlist.txt as the File Name.
  • Important: The file must be saved in the same location as FRST.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts.
  • Click Scan.
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
  • Follow the prompts and allow your computer to reboot.
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 
 
STEP 3
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted.
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Are the folders related to Sophos?
  • Fixlog.txt
  • AdwCleaner[s0].txt
  • JRT.txt
  • Update on computer
     
Link to post
Share on other sites

Hi Adam;

 

Steps 1 - 3 done.

 

Yes, the two folders were created by me for Sophos and some other tools that I tried.   I deleted both.

 

ADWcleaner didn't open a log after reboot.   I ran scan again then clicked report and saved that as the log.

 

All three logs are attached.

 

The computer is running well.  I left it connected all day today and there were no CPU spikes or problems.  Also seems much faster.

 

 

Thanks!

 

-Kyle

adwlog.txt

Fixlog.txt

JRT.txt

Link to post
Share on other sites

Very good. 

 

Please provide an update on your computer after completing the following steps. Are there any outstanding issues?

 

STEP 1
CXrghb6.png Update/Remove Java

  • Download the latest version of j8JVMVP.jpg Java from here.
  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for and uninstall the following programmes (if present):
    • Java 6 Update 32 
       

STEP 2
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 3
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme.
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Hide advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points.
  • Click esetExport.png and save the file to your Desktop, naming it something unique such as MyEsetScan.
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did Java update/remove successfully?
  • MBAM Scan log
  • ESET Online Scan log
Link to post
Share on other sites

Thought I was good until the end...  ESET found a few things.

 

System is running good...

 

I updated java to 7.67.  Looked in programs and no 6.32 to uninstall.    Java config/about shows version 7.67

 

Mbam and ESET logs attached.    I'm concerned about the ESET items.

 

Thanks again for your help.

 

 

ESETlog.txt

mbam0922142026.txt

Link to post
Share on other sites

Hi Kyle, 
 
Tracur is a Trojan which is known to cause browser redirects. 
The "Sun\Java\Deployment\cache" threats are files in your Java cache. If you're concerned, perhaps you should consider uninstalling Java altogether. See below for information. 
 
Using Java is an unnecessary security risk; especially using older versions which have vulnerabilities that malicious sites can use to exploit and infect your system.

Java is one of those technologies that you find installed on the majority of computer systems despite the fact that average users do not come across many Java-powered websites or desktop applications [...] According to W3Techs, only four percent of websites use Java on the server side [...] it is used by 0.2 percent of all websites on the client side. And two tenths of a percent includes sites that do not use it for their core functionality [...] there are sites and applications that require Java, and if you use any of them, you obviously need Java. But that makes you a minority. The majority of Internet users do not need Java. They do not need the Java plugin, nor do they need the Java Runtime Environment installed on their operating system.

To uninstall Java completely, please run JavaRa as instructed below. 
 
6tJPTVb.png JavaRa

  • Please download JavaRa and save the file to your Desktop.
  • Right-click the folder and click Extra All.
  • Close any open windows.
  • Right-Click JavaRa.exe and select Run as administrator to run the programme.
  • Select your language and click Select.
  • Once opened, click Remove Older Versions.
  • Click Yes when prompted. Upon completion, click OK.
  • Please reboot your computer.

 

---------------------------

 

If all is well, lets update your vulnerable software to minimize the risk of reinfection.
 
STEP 1
Wanjyk9.png Disable Windows Gadgets
Microsoft Security Advisory 2719662 warns of vulnerabilities in Windows Sidebar Gadgets that could allow remote code execution. I recommend disabling Windows Sidebar by running the following Microsoft Fixit
 

STEP 2
CXrghb6.png Update Outdated Software

Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

STEP 3
EtQetiM.png Remove Outdated Software

  • Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall one at a time.
  • Note: The programmes below may not be present; if so, please skip to the next step.
    • Adobe Flash Player 11 ActiveX
    • Adobe Reader X (10.1.12) 
  • Follow the prompts and reboot if necessary.
     

STEP 4
zANS9oB.png Disable Java in Your Browser
Due to frequent exploits we recommend you disable Java in your browser.
For information on Java vulnerabilities, please read the following article (point #7).

  • Note: You need only do the following is Java is still installed.
  • Click the Windows Start Button and type Java Control Panel (or javacpl) in the search bar.
  • Click on the Java Control Panel. Once opened, click the Security tab.
  • Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
  • Click Apply. When the Windows User Account Control (UAC) appears, allow permissions to make the changes.
  • Click OK in the Java Plug-in confirmation window.
  • Restart your browser(s) for changes to take effect.
  • More information can be found here and here.
     

STEP 5
oxliOQk.png Security Check

  • Please download SecurityCheck and save the file to your Desktop.
  • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A log (checkup.txt) will automatically open on your Desktop.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 6
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • checkup.txt
  • How is your computer performing? Are there any outstanding issues?
Link to post
Share on other sites

Hi Adam;

 

Sorry for the delay... I couldn't get on the forum last night (not a malware problem) and was busy most of today.

 

I followed steps 1 though 6.

 

Removed Java with removal tool.

Everything else went well.   Paste of checkup.txt in next reply.

 

Computer is running very well.   No issues and faster than before.

 

Thanks for your help.

 

-Kyle

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.87

Windows 7 Service Pack 1 x86 (UAC is enabled)

Internet Explorer 11

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton AntiVirus

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Java 7 Update 67

Adobe Reader XI

Google Chrome 37.0.2062.103

Google Chrome 37.0.2062.120

````````Process Check: objlist.exe by Laurent````````

Norton AntiVirus Engine 21.6.0.32 NAV.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 4%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Very good. Glad to hear things are running OK, Kyle. 
Now for the good news. 
 
All Clean!
Congratulations, your computer appears clean!  :)
I see no signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
 
 
STEP 1
AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
Below I have compiled a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • x7D2ig3K.png.pagespeed.ic.x4TC1AK8OX.jpg Emsisoft Antimalware (free) acts as an additional on-demand scanner, and can be used in conjunction with your Anti-Virus.
  • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) incorporates real-time protection and is designed to run alongside your Anti-Virus.
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from writing to your HDD unless you approve the file.
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xsHjS79L.png.pagespeed.ic.n4Sk8_GzZn.jpg Unchecky automatically removes checkmarks for additional software in programme installers, helping you avoid adware and PUPs.
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert the user before interacting with a potentially malicious website. 

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing.  :) 
Adam (LiquidTension).

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.