fff5ee.com ,honeymod,appsrumors infection

[spotldr]

Malwarebytes Premium keeps blocking outbound to different sites, especially fff5ee.com. and appsrumors.com  

 

It is happening every few seconds and I don't even remember downloading anything. I ran Trends House call and it found nothing just like Malwarebytes found nothing, even in safe mode.

 

here are the logs from farbar that I had to download from another computer because this one wouldn't allow downloads.

 

 

 

FRST.txt

log Addition.txt

[Naathim]

dwade - please start your own topic, and wait until it will be picked.


Thius instruction is for spotldr only!
You are very heavy infected. Multiple backdoors and so. Considet the following warning and let me know how you'd wish to proceed.


Why the logs are taken from the safe mode?



Backdoor warning!

Unfortunately your machine seems to be heavy compromised by a Backdoor Trojan. This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files. My advice for this moment:

• Disconnect this machine from the internet.
• Change your online passwords from a well-known clean computer (not this one!).
• It would be also wise to inform financial institutions about your situation - see here.

Many experts believe that the best action should be reformat and reinstall, but I think that we can still be able to clean this one and return it to its normal funcionality (with no security guarantee afterwards, as this is a very severe type of infection).

• If you plan to rather reinstall your system, let me know if I could provide any help during that procedure.
• If you wish to omit the reinstallation, just please proceed with the next steps directed.

I believe that we can kill this nasty bad guy

[spotldr]

I took the report in safe mode because I was trying to see if malwarebytes or a, friend recommended ,House calls would find the virus.  I would like to try to remove it, if possible. I have a program that is no longer available and as the company gave a backdoor for those that had purchased the key, I would be sad to loose it. 

 

 

 

 I ran a new log outside of safemode, didn't see the attached file one this time, though.

 

Should I work on another computer to access the forum, to work on this crazy computer.  Luckily I change passwords to everything frequently and never store them.  I did go on a computer that hasn't even been turned on for 4 months and changed bank log in.

 

 

FRST 2.txt

[Naathim]

Hi
 
Perform my instructions from normal mode if available. If not - ask me before proceding.
Goog call with changing the passwords.

 

Post the logs in your posts instead of attaching them, it will make my life easier.


Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the disclaimer and agree if prompted to install Recovery Console.
• Do not take any actions while ComboFix goes through your System - it may cause it to stall!
• This scan may take some time!
• When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
Don't forget to re-enable your previously switched-off protection software!

[spotldr]

ok. I just did combofix, the computer went online quickly but the fff5ee.com is back. It wont allow any downloads. says the security setting wont allow,

 

log is attached.

 

a popup screen from combo fix came up that it was infected with Rootkit.ZeroAccess! then it beeped to ay it needed to reboot. 

 

I disconnected it from internet again.

combofix log.txt

[Naathim]

Heavy one, I see. Won't let go so easily.


Post the logs in your posts instead of attaching them, it will make my life easier.



Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

• Right-click on icon and select Run as Administrator to start the tool.
  > XP users click run after receipt of Windows Security Warning - Open File.
  > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

[spotldr]

I so hate making your life difficult, but I have tried every copy paste, select all, etc; but nothing . 

I don't know what I'm doing wrong? I'm on a good computer, but the files are from the infected one.???

 

Addition 3.txt

FRST 3.txt

[Naathim]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Press the + R on your keyboard at the same time. Type Notepad and click OK.

• Copy the entire content of the codebox below and paste into the Notepad document:
  

  startCloseProcesses:HKU\S-1-5-21-18420745-2485514510-2176100773-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No FileHandler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No FileWinsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"FF Plugin HKCU: @nds.com/PCShowPlugin -> C:\Users\Owner\AppData\Local\DIRECTV Player\npPCShowPlugin.dll No FileFF Plugin HKCU: @nds.com/PlayerPlugin -> C:\Users\Owner\AppData\Local\DIRECTV Player\npPlayerPlugin.dll No FileFF Plugin HKCU: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\Owner\AppData\Roaming\CATALI~2\NPBCSK~1.DLL (Catalina Marketing Corporation)C:\Users\Owner\AppData\Roaming\CATALI~2CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll No FileCHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll No FileCHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.116\pdf.dll No FileCHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll No FileCHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll No FileCHR Plugin: (Catalina Savings Printer) - C:\Users\Owner\AppData\Roaming\Catalina \u2013 Print Savings\npBcsKtTcHW.dll No FileS2 acdservice; %systemroot%\system32\ZuneWlanCfgSvc.dll [X]S2 acedrv05; %systemroot%\system32\dptrackerd.dll [X]S2 acs; %systemroot%\system32\WNCPKT.dll [X]S2 acsvc; %systemroot%\system32\WmVirHid.dll [X]S2 aha154x; %systemroot%\system32\vserial.dll [X]S2 AKSIFDH; %systemroot%\system32\qbreminderflash.dll [X]S2 ALABULK; %systemroot%\system32\NICSer_WPC300N.dll [X]S2 alcan5wn; %systemroot%\system32\mohfilt.dll [X]S2 allegro; %systemroot%\system32\tfsnopio.dll [X]S2 Alpham2; %systemroot%\system32\bc_ip_f.dll [X]S2 ASUSVRC; %systemroot%\system32\SMCB000.dll [X]S2 atimtag; %systemroot%\system32\risdptsk.dll [X]S2 atirage3; %systemroot%\system32\SiSGbeXP.dll [X]S2 atixsaudio; %systemroot%\system32\SetupSys.dll [X]S2 Atmuni; %systemroot%\system32\Machnm32.dll [X]S2 backupclientsvc; %systemroot%\system32\GTF32BUS.dll [X]S2 BCMWLNPF; %systemroot%\system32\WNIPROT5.dll [X]S2 brmfrmps; %systemroot%\system32\mediaviewer.dll [X]S2 BrScnUsb; %systemroot%\system32\IntelC53.dll [X]S2 BTSLBCSP; %systemroot%\system32\meiudf.dll [X]S2 BVRPMPR5; %systemroot%\system32\eabfiltr.dll [X]S2 bvrp_pci; %systemroot%\system32\Alpham1.dll [X]S2 c-dillasrv; %systemroot%\system32\bt3cser.dll [X]S2 CADlink; %systemroot%\system32\alcxwdm.dll [X]S2 CAMCAUD; %systemroot%\system32\AtlsAud.dll [X]S2 cbidf2k; %systemroot%\system32\VX1000.dll [X]S2 CBTNDIS5; %systemroot%\system32\ZDPNDIS5.dll [X]S2 cdaudio; %systemroot%\system32\nwrdr.dll [X]S2 cdr4_2k; %systemroot%\system32\Cap7134.dll [X]S2 cdralw2k; %systemroot%\system32\belmonitorservice.dll [X]S2 CDRPDACC; %systemroot%\system32\pdlnecfg.dll [X]S2 changer; %systemroot%\system32\WmUsbHid.dll [X]S2 COMMONFX.DLL; %systemroot%\system32\EQDRV5.dll [X]S2 crystalinputfileserver; %systemroot%\system32\se45nd5.dll [X]S2 CrystalSysInfo; %systemroot%\system32\s716mdm.dll [X]S2 CTAUDFX.DLL; %systemroot%\system32\LMIRfsDriver.dll [X]S2 ctljystk; %systemroot%\system32\nvidesm.dll [X]S2 CTMMOUNT; %systemroot%\system32\usbuhci.dll [X]S2 cwafeventrouter; %systemroot%\system32\wmpnetworksvc.dll [X]S2 DC21x4; %systemroot%\system32\AIRPLUS.dll [X]S2 dcfssvc; %systemroot%\system32\btwhid.dll [X]S2 deventagent; %systemroot%\system32\speakerphone.dll [X]S2 digictrl; %systemroot%\system32\mrxdav.dll [X]S2 dtscsi; %systemroot%\system32\vwkernel.dll [X]S2 eabusb; %systemroot%\system32\bcftdi.dll [X]S2 earthlinksafeconnectagent; %systemroot%\system32\cmdagent.dll [X]S2 easdrv; %systemroot%\system32\rimusb.dll [X]S2 elaunidr; %systemroot%\system32\irbus.dll [X]S2 elnkupdateservice; %systemroot%\system32\odclientservice.dll [X]S2 EMATCORE; %systemroot%\system32\vsdatant.dll [X]S2 epfw; %systemroot%\system32\pml.dll [X]S2 fah@c:+fah+fah-service+fah502-console.exe; %systemroot%\system32\smservauth.dll [X]S2 freesshdservice; %systemroot%\system32\wwsecsvc.dll [X]S2 fssfltr; %systemroot%\system32\elnkupdateservice.dll [X]S2 gbpoll; %systemroot%\system32\mfeapfk.dll [X]S2 genregistrar; %systemroot%\system32\hsf_msft.dll [X]S2 ggsemc; %systemroot%\system32\sshrmd.dll [X]S2 hidgame; %systemroot%\system32\TNaviSrv.dll [X]S2 houdinilicenseserver; %systemroot%\system32\oracleorahomehttpserver.dll [X]S2 HPFXBULK; %systemroot%\system32\s117mdfl.dll [X]S2 HssTrayService; %systemroot%\system32\automate6.dll [X]S2 https-admserv61; %systemroot%\system32\tosporte.dll [X]S2 i2omp; %systemroot%\system32\sweepsrv.sys.dll [X]S2 iaimfp0; %systemroot%\system32\personalsecuredriveservice.dll [X]S2 ichaud; %systemroot%\system32\retrowdsvc.dll [X]S2 idisw2km; %systemroot%\system32\Anydlc.dll [X]S2 iftpsvc; %systemroot%\system32\ROCKEYNT.dll [X]S2 ikfileflt; %systemroot%\system32\penrendezvous.dll [X]S2 ikhlayer; %systemroot%\system32\filemon701.dll [X]S2 ilicensesvc; %systemroot%\system32\XilinxPC4Driver.dll [X]S2 imagesrv; %systemroot%\system32\advantage.dll [X]S2 inort; %systemroot%\system32\cdrbsdrv.dll [X]S2 InterBaseGuardian; %systemroot%\system32\pavsrv.dll [X]S2 IntuitUpdateService; %systemroot%\system32\ptserial.dll [X]S2 jconfigd; %systemroot%\system32\GTWModem.dll [X]S2 Jukebox; %systemroot%\system32\dpc_srv_webcast.dll [X]S2 jukebox3; %systemroot%\system32\RIOXDRV.dll [X]S2 k750obex; %systemroot%\system32\servicemgr.dll [X]S2 keriomailserver; %systemroot%\system32\ScanUSBEMPIA.dll [X]S2 L8042Kbd; %systemroot%\system32\carboncopy32.dll [X]S2 lfsfilt; %systemroot%\system32\tiumfwl.dll [X]S2 lhidusb; %systemroot%\system32\RR2Mjpeg.dll [X]S2 lilsgt; %systemroot%\system32\mspclock.dll [X]S2 lvckap; %systemroot%\system32\websensecamreportserver.dll [X]S2 lvmvdrv; %systemroot%\system32\sysaudio.dll [X]S2 lxcg_device; %systemroot%\system32\DFUBTUSB.dll [X]S2 M3AD; %systemroot%\system32\usbbus.dll [X]S2 mcafeeantispyware; %systemroot%\system32\NIPALK.dll [X]S2 mcontrol; %systemroot%\system32\mssqlserver.dll [X]S2 mcusrmgr; %systemroot%\system32\avgascln.dll [X]S2 merakpop3; %systemroot%\system32\cdfs.dll [X]S2 mf; %systemroot%\system32\HssDrv.dll [X]S2 mfcom; %systemroot%\system32\tvichw32.dll [X]S2 mindrepair; %systemroot%\system32\DMICall.dll [X]S2 mindretrieve; %systemroot%\system32\VAIOMediaPlatform-VideoServer-UPnP.dll [X]S2 msdv; %systemroot%\system32\tvicport.dll [X]S2 MSFWDrv; %systemroot%\system32\agnwifi.dll [X]S2 mssqlserverolapservice; %systemroot%\system32\symmpi.dll [X]S2 mstdfrgs; %systemroot%\system32\sdbus.dll [X]S2 mysqlinventime; %systemroot%\system32\k750mdfl.dll [X]S2 naiavfilter1; %systemroot%\system32\MegaSR.dll [X]S2 netcfgsvr; %systemroot%\system32\aolavupd.dll [X]S2 netddedsdm; %systemroot%\system32\mpfservice.dll [X]S2 ni_nic; %systemroot%\system32\Xyz777b.dll [X]S2 Nsynas32; %systemroot%\system32\ProcObsrv.dll [X]S2 NuidFltr; %systemroot%\system32\sis315.dll [X]S2 nuvvid2; %systemroot%\system32\puscsrvc.dll [X]S2 nv4; %systemroot%\system32\dsNcAdpt.dll [X]S2 NVNET; %systemroot%\system32\servicemgr.dll [X]S2 NxNetMon; %systemroot%\system32\SQTECH905C.dll [X]S2 oracleorahomeagent; %systemroot%\system32\nvstor64.dll [X]S2 outpostfirewall; %systemroot%\system32\s616nd5.dll [X]S2 p2k; %systemroot%\system32\asp.net.dll [X]S2 patrol_scheduler; %systemroot%\system32\cqmghost.dll [X]S2 pavfnsvr; %systemroot%\system32\df5serv.dll [X]S2 PCDRSRVC; %systemroot%\system32\p2k.dll [X]S2 pctavsvc; %systemroot%\system32\lvusbsta.dll [X]S2 pdrframe; %systemroot%\system32\SetupNT.dll [X]S2 pduip6000dmemcrdmgr; %systemroot%\system32\slee_503_service.dll [X]S2 perc2hib; %systemroot%\system32\dcevt32.dll [X]S2 picturetaker; %systemroot%\system32\netsvc.dll [X]S2 pid_0928; %systemroot%\system32\pctavsvc.dll [X]S2 pktfilter; %systemroot%\system32\pdlnacom.dll [X]S2 prevxagent; %systemroot%\system32\SaiNtHid.dll [X]S2 prevxdriver; %systemroot%\system32\As6frin.dll [X]S2 prtg4service; %systemroot%\system32\CTHWIUT.DLL.dll [X]S2 qhwscsvc; %systemroot%\system32\bridgemp.dll [X]S2 ql1240; %systemroot%\system32\ATIBTXBAR.dll [X]S2 radiosvr; %systemroot%\system32\imagesrv.dll [X]S2 raidmsvr; %systemroot%\system32\SecureStorageService.dll [X]S2 regdefend; %systemroot%\system32\PCISys.dll [X]S2 regservice; %systemroot%\system32\nvidesm.dll [X]S2 regsrvc; %systemroot%\system32\ppmoucls.dll [X]S2 rsvchost; %systemroot%\system32\imagedrv.dll [X]S2 rtport; %systemroot%\system32\TSHWMDTCP.dll [X]S2 s116mdm; %systemroot%\system32\unlockerdriver5.dll [X]S2 s117bus; %systemroot%\system32\iPassPeriodicUpdateApp.dll [X]S2 s117mdm; %systemroot%\system32\MSW_USB.dll [X]S2 s3ssavage; %systemroot%\system32\RecAgent.dll [X]S2 s716bus; %systemroot%\system32\tcsd_win32.exe.dll [X]S2 se44mdfl; %systemroot%\system32\WimFltr.dll [X]S2 se45obex; %systemroot%\system32\rpcnet.dll [X]S2 SeratoUsb; %systemroot%\system32\btdriver.dll [X]S2 ssdiagn; %systemroot%\system32\USB_RNDIS.dll [X]S2 streamloadservice; %systemroot%\system32\ovsecurityserver.dll [X]S2 symtdi; %systemroot%\system32\dladresn.dll [X]S2 teefer; %systemroot%\system32\snpstd2.dll [X]S2 tpkd; %systemroot%\system32\asusgsb.dll [X]S2 tsdhd; %systemroot%\system32\srtspx.dll [X]S2 tvicport; %systemroot%\system32\speakerphone.dll [X]S2 umwdf; %systemroot%\system32\ikfileflt.dll [X]S2 UNDPX2A; %systemroot%\system32\NdisFilt.dll [X]S2 unrealircd; %systemroot%\system32\nsm1mdfl.dll [X]S2 USA49W2KP; %systemroot%\system32\regspy.dll [X]S2 utilman; %systemroot%\system32\vcdsecs.dll [X]S2 utscsi; %systemroot%\system32\mnsframework.dll [X]S2 venturi2; %systemroot%\system32\ofcservice.dll [X]S2 vpn5000service; %systemroot%\system32\PSDNServ.dll [X]S2 VRcore; %systemroot%\system32\XFX_program.dll [X]S2 vvoice; %systemroot%\system32\cwafnotesservice.dll [X]S2 webrootenterpriseclientservice; %systemroot%\system32\STEC3.dll [X]S2 websenseclientdeployservice; %systemroot%\system32\cpucoolserver.dll [X]S2 wltrysvc; %systemroot%\system32\syntp.dll [X]S2 wwnetdde; %systemroot%\system32\WDM_YAMAHAAC97.dll [X]S2 wzcsvc; %systemroot%\system32\HssTrayService.dll [X]S2 XAudio; %systemroot%\system32\mcmscsvc.dll [X]S2 xfilt; %systemroot%\system32\uhcd.dll [X]S2 Xyz777b; %systemroot%\system32\dlcc_device.dll [X]S2 YMIDUSB; %systemroot%\system32\ATIVTUTW.dll [X]S2 z525mdfl; %systemroot%\system32\FVXSCSI.dll [X]S2 z800bus; %systemroot%\system32\sfloppy.dll [X]S2 zfdwm; %systemroot%\system32\nmsaccess.dll [X]S2 {834170a7-af3b-4d34-a757-e05eb29ee96d}; %systemroot%\system32\FVXSCSI.dll [X]NETSVC: CBTNDIS5 -> C:\Windows\system32\ZDPNDIS5.dll ==> No File.NETSVC: z525mdfl -> C:\Windows\system32\FVXSCSI.dll ==> No File.NETSVC: UNDPX2A -> C:\Windows\system32\NdisFilt.dll ==> No File.NETSVC: DC21x4 -> C:\Windows\system32\AIRPLUS.dll ==> No File.NETSVC: mfcom -> C:\Windows\system32\tvichw32.dll ==> No File.NETSVC: XAudio -> C:\Windows\system32\mcmscsvc.dll ==> No File.NETSVC: imagesrv -> C:\Windows\system32\advantage.dll ==> No File.NETSVC: mindretrieve -> C:\Windows\system32\VAIOMediaPlatform-VideoServer-UPnP.dll ==> No File.NETSVC: outpostfirewall -> C:\Windows\system32\s616nd5.dll ==> No File.NETSVC: genregistrar -> C:\Windows\system32\hsf_msft.dll ==> No File.NETSVC: mssqlserverolapservice -> C:\Windows\system32\symmpi.dll ==> No File.NETSVC: Jukebox -> C:\Windows\system32\dpc_srv_webcast.dll ==> No File.NETSVC: lilsgt -> C:\Windows\system32\mspclock.dll ==> No File.NETSVC: LwUsbHid -> No Registry Path.NETSVC: lhidusb -> C:\Windows\system32\RR2Mjpeg.dll ==> No File.NETSVC: YMIDUSB -> C:\Windows\system32\ATIVTUTW.dll ==> No File.NETSVC: earthlinksafeconnectagent -> C:\Windows\system32\cmdagent.dll ==> No File.NETSVC: ss_bus -> No Registry Path.NETSVC: bvrp_pci -> C:\Windows\system32\Alpham1.dll ==> No File.NETSVC: SeratoUsb -> C:\Windows\system32\btdriver.dll ==> No File.NETSVC: allegro -> C:\Windows\system32\tfsnopio.dll ==> No File.NETSVC: utilman -> C:\Windows\system32\vcdsecs.dll ==> No File.NETSVC: p2k -> C:\Windows\system32\asp.net.dll ==> No File.NETSVC: ctljystk -> C:\Windows\system32\nvidesm.dll ==> No File.NETSVC: ilicensesvc -> C:\Windows\system32\XilinxPC4Driver.dll ==> No File.NETSVC: acsvc -> C:\Windows\system32\WmVirHid.dll ==> No File.NETSVC: dtscsi -> C:\Windows\system32\vwkernel.dll ==> No File.NETSVC: COMMONFX.DLL -> C:\Windows\system32\EQDRV5.dll ==> No File.NETSVC: regservice -> C:\Windows\system32\nvidesm.dll ==> No File.NETSVC: CTAUDFX.DLL -> C:\Windows\system32\LMIRfsDriver.dll ==> No File.NETSVC: BrScnUsb -> C:\Windows\system32\IntelC53.dll ==> No File.NETSVC: ggsemc -> C:\Windows\system32\sshrmd.dll ==> No File.NETSVC: eabusb -> C:\Windows\system32\bcftdi.dll ==> No File.NETSVC: s3ssavage -> C:\Windows\system32\RecAgent.dll ==> No File.NETSVC: c-dillasrv -> C:\Windows\system32\bt3cser.dll ==> No File.NETSVC: vvoice -> C:\Windows\system32\cwafnotesservice.dll ==> No File.NETSVC: EMATCORE -> C:\Windows\system32\vsdatant.dll ==> No File.NETSVC: atirage3 -> C:\Windows\system32\SiSGbeXP.dll ==> No File.NETSVC: wwnetdde -> C:\Windows\system32\WDM_YAMAHAAC97.dll ==> No File.NETSVC: BCMWLNPF -> C:\Windows\system32\WNIPROT5.dll ==> No File.NETSVC: msdv -> C:\Windows\system32\tvicport.dll ==> No File.NETSVC: elnkupdateservice -> C:\Windows\system32\odclientservice.dll ==> No File.NETSVC: umwdf -> C:\Windows\system32\ikfileflt.dll ==> No File.NETSVC: s117mdm -> C:\Windows\system32\MSW_USB.dll ==> No File.NETSVC: cwafeventrouter -> C:\Windows\system32\wmpnetworksvc.dll ==> No File.NETSVC: aha154x -> C:\Windows\system32\vserial.dll ==> No File.NETSVC: unrealircd -> C:\Windows\system32\nsm1mdfl.dll ==> No File.NETSVC: teefer -> C:\Windows\system32\snpstd2.dll ==> No File.NETSVC: tsdhd -> C:\Windows\system32\srtspx.dll ==> No File.NETSVC: mcusrmgr -> C:\Windows\system32\avgascln.dll ==> No File.NETSVC: ikhlayer -> C:\Windows\system32\filemon701.dll ==> No File.NETSVC: {834170a7-af3b-4d34-a757-e05eb29ee96d} -> C:\Windows\system32\FVXSCSI.dll ==> No File.NETSVC: Nsynas32 -> C:\Windows\system32\ProcObsrv.dll ==> No File.NETSVC: crystalinputfileserver -> C:\Windows\system32\se45nd5.dll ==> No File.NETSVC: BCMModem -> No Registry Path.NETSVC: utscsi -> C:\Windows\system32\mnsframework.dll ==> No File.NETSVC: inort -> C:\Windows\system32\cdrbsdrv.dll ==> No File.NETSVC: netcfgsvr -> C:\Windows\system32\aolavupd.dll ==> No File.NETSVC: qhUSA49W2KP -> No Registry Path.NETSVC: picturetaker -> C:\Windows\system32\netsvc.dll ==> No File.NETSVC: atimtag -> C:\Windows\system32\risdptsk.dll ==> No File.NETSVC: brmfrmps -> C:\Windows\system32\mediaviewer.dll ==> No File.NETSVC: acedrv05 -> C:\Windows\system32\dptrackerd.dll ==> No File.NETSVC: pduip6000dmemcrdmgr -> C:\Windows\system32\slee_503_service.dll ==> No File.NETSVC: prevxdriver -> C:\Windows\system32\As6frin.dll ==> No File.NETSVC: mcontrol -> C:\Windows\system32\mssqlserver.dll ==> No File.NETSVC: prevxagent -> C:\Windows\system32\SaiNtHid.dll ==> No File.NETSVC: ALABULK -> C:\Windows\system32\NICSer_WPC300N.dll ==> No File.NETSVC: datasvr2 -> No Registry Path.NETSVC: patrol_scheduler -> C:\Windows\system32\cqmghost.dll ==> No File.NETSVC: lfsfilt -> C:\Windows\system32\tiumfwl.dll ==> No File.NETSVC: fah@c:+fah+fah-service+fah502-console.exe -> C:\Windows\system32\smservauth.dll ==> No File.NETSVC: Alpham2 -> C:\Windows\system32\bc_ip_f.dll ==> No File.NETSVC: atixsaudio -> C:\Windows\system32\SetupSys.dll ==> No File.NETSVC: easdrv -> C:\Windows\system32\rimusb.dll ==> No File.NETSVC: mcafeeantispyware -> C:\Windows\system32\NIPALK.dll ==> No File.NETSVC: tga -> No Registry Path.NETSVC: s117bus -> C:\Windows\system32\iPassPeriodicUpdateApp.dll ==> No File.NETSVC: ichaud -> C:\Windows\system32\retrowdsvc.dll ==> No File.NETSVC: bgmainsvc -> No Registry Path.NETSVC: raidmsvr -> C:\Windows\system32\SecureStorageService.dll ==> No File.NETSVC: nv4 -> C:\Windows\system32\dsNcAdpt.dll ==> No File.NETSVC: gbpoll -> C:\Windows\system32\mfeapfk.dll ==> No File.NETSVC: InterBaseGuardian -> C:\Windows\system32\pavsrv.dll ==> No File.NETSVC: backupclientsvc -> C:\Windows\system32\GTF32BUS.dll ==> No File.NETSVC: Xyz777b -> C:\Windows\system32\dlcc_device.dll ==> No File.NETSVC: HssTrayService -> C:\Windows\system32\automate6.dll ==> No File.NETSVC: WmFilter -> No Registry Path.NETSVC: VRcore -> C:\Windows\system32\XFX_program.dll ==> No File.NETSVC: BVRPMPR5 -> C:\Windows\system32\eabfiltr.dll ==> No File.NETSVC: perc2hib -> C:\Windows\system32\dcevt32.dll ==> No File.NETSVC: pdrframe -> C:\Windows\system32\SetupNT.dll ==> No File.NETSVC: keriomailserver -> C:\Windows\system32\ScanUSBEMPIA.dll ==> No File.NETSVC: tnbrlds -> No Registry Path.NETSVC: PCDRSRVC -> C:\Windows\system32\p2k.dll ==> No File.NETSVC: ssdiagn -> C:\Windows\system32\USB_RNDIS.dll ==> No File.NETSVC: CrystalSysInfo -> C:\Windows\system32\s716mdm.dll ==> No File.NETSVC: se44mdfl -> C:\Windows\system32\WimFltr.dll ==> No File.NETSVC: websenseclientdeployservice -> C:\Windows\system32\cpucoolserver.dll ==> No File.NETSVC: HPFXBULK -> C:\Windows\system32\s117mdfl.dll ==> No File.NETSVC: deventagent -> C:\Windows\system32\speakerphone.dll ==> No File.NETSVC: pavfnsvr -> C:\Windows\system32\df5serv.dll ==> No File.NETSVC: hsfhwbs2 -> No Registry Path.NETSVC: venturi2 -> C:\Windows\system32\ofcservice.dll ==> No File.NETSVC: mysqlinventime -> C:\Windows\system32\k750mdfl.dll ==> No File.NETSVC: cdralw2k -> C:\Windows\system32\belmonitorservice.dll ==> No File.NETSVC: jukebox3 -> C:\Windows\system32\RIOXDRV.dll ==> No File.NETSVC: mindrepair -> C:\Windows\system32\DMICall.dll ==> No File.NETSVC: CDRPDACC -> C:\Windows\system32\pdlnecfg.dll ==> No File.NETSVC: wltrysvc -> C:\Windows\system32\syntp.dll ==> No File.NETSVC: netddedsdm -> C:\Windows\system32\mpfservice.dll ==> No File.NETSVC: k750obex -> C:\Windows\system32\servicemgr.dll ==> No File.NETSVC: cbidf2k -> C:\Windows\system32\VX1000.dll ==> No File.NETSVC: cdaudio -> C:\Windows\system32\nwrdr.dll ==> No File.NETSVC: ql12160 -> No Registry Path.NETSVC: regsrvc -> C:\Windows\system32\ppmoucls.dll ==> No File.NETSVC: streamloadservice -> C:\Windows\system32\ovsecurityserver.dll ==> No File.NETSVC: BTSLBCSP -> C:\Windows\system32\meiudf.dll ==> No File.NETSVC: pktfilter -> C:\Windows\system32\pdlnacom.dll ==> No File.NETSVC: acs -> C:\Windows\system32\WNCPKT.dll ==> No File.NETSVC: xfilt -> C:\Windows\system32\uhcd.dll ==> No File.NETSVC: lvmvdrv -> C:\Windows\system32\sysaudio.dll ==> No File.NETSVC: unlockerdriver5 -> No Registry Path.NETSVC: radiosvr -> C:\Windows\system32\imagesrv.dll ==> No File.NETSVC: changer -> C:\Windows\system32\WmUsbHid.dll ==> No File.NETSVC: prtg4service -> C:\Windows\system32\CTHWIUT.DLL.dll ==> No File.NETSVC: lvckap -> C:\Windows\system32\websensecamreportserver.dll ==> No File.NETSVC: ni_nic -> C:\Windows\system32\Xyz777b.dll ==> No File.NETSVC: L8042Kbd -> C:\Windows\system32\carboncopy32.dll ==> No File.NETSVC: hidgame -> C:\Windows\system32\TNaviSrv.dll ==> No File.NETSVC: houdinilicenseserver -> C:\Windows\system32\oracleorahomehttpserver.dll ==> No File.NETSVC: cdr4_2k -> C:\Windows\system32\Cap7134.dll ==> No File.NETSVC: CADlink -> C:\Windows\system32\alcxwdm.dll ==> No File.NETSVC: adiusbaw -> No Registry Path.NETSVC: obvious -> No Registry Path.NETSVC: AKSIFDH -> C:\Windows\system32\qbreminderflash.dll ==> No File.NETSVC: ikfileflt -> C:\Windows\system32\penrendezvous.dll ==> No File.NETSVC: jconfigd -> C:\Windows\system32\GTWModem.dll ==> No File.NETSVC: DcLps -> No Registry Path.NETSVC: webrootenterpriseupdateservice -> No Registry Path.NETSVC: mstdfrgs -> C:\Windows\system32\sdbus.dll ==> No File.NETSVC: Atmuni -> C:\Windows\system32\Machnm32.dll ==> No File.NETSVC: elaunidr -> C:\Windows\system32\irbus.dll ==> No File.NETSVC: lxcg_device -> C:\Windows\system32\DFUBTUSB.dll ==> No File.NETSVC: s116mdm -> C:\Windows\system32\unlockerdriver5.dll ==> No File.NETSVC: rsvchost -> C:\Windows\system32\imagedrv.dll ==> No File.NETSVC: https-admserv61 -> C:\Windows\system32\tosporte.dll ==> No File.NETSVC: epfw -> C:\Windows\system32\pml.dll ==> No File.NETSVC: webrootenterpriseclientservice -> C:\Windows\system32\STEC3.dll ==> No File.NETSVC: acdservice -> C:\Windows\system32\ZuneWlanCfgSvc.dll ==> No File.NETSVC: CTMMOUNT -> C:\Windows\system32\usbuhci.dll ==> No File.NETSVC: CAMCAUD -> C:\Windows\system32\AtlsAud.dll ==> No File.NETSVC: ql1240 -> C:\Windows\system32\ATIBTXBAR.dll ==> No File.NETSVC: merakpop3 -> C:\Windows\system32\cdfs.dll ==> No File.NETSVC: ASUSVRC -> C:\Windows\system32\SMCB000.dll ==> No File.NETSVC: fssfltr -> C:\Windows\system32\elnkupdateservice.dll ==> No File.NETSVC: M3AD -> C:\Windows\system32\usbbus.dll ==> No File.NETSVC: MSFWDrv -> C:\Windows\system32\agnwifi.dll ==> No File.NETSVC: se45obex -> C:\Windows\system32\rpcnet.dll ==> No File.NETSVC: iftpsvc -> C:\Windows\system32\ROCKEYNT.dll ==> No File.NETSVC: idisw2km -> C:\Windows\system32\Anydlc.dll ==> No File.NETSVC: rtport -> C:\Windows\system32\TSHWMDTCP.dll ==> No File.NETSVC: X4HSX32 -> No Registry Path.NETSVC: NVNET -> C:\Windows\system32\servicemgr.dll ==> No File.NETSVC: dcfssvc -> C:\Windows\system32\btwhid.dll ==> No File.NETSVC: ipahelper.exe -> No Registry Path.NETSVC: iaimfp0 -> C:\Windows\system32\personalsecuredriveservice.dll ==> No File.NETSVC: tvicport -> C:\Windows\system32\speakerphone.dll ==> No File.NETSVC: regdefend -> C:\Windows\system32\PCISys.dll ==> No File.NETSVC: F700ius -> No Registry Path.NETSVC: naiavfilter1 -> C:\Windows\system32\MegaSR.dll ==> No File.NETSVC: z800bus -> C:\Windows\system32\sfloppy.dll ==> No File.NETSVC: digictrl -> C:\Windows\system32\mrxdav.dll ==> No File.NETSVC: i2omp -> C:\Windows\system32\sweepsrv.sys.dll ==> No File.NETSVC: zfdwm -> C:\Windows\system32\nmsaccess.dll ==> No File.NETSVC: NxNetMon -> C:\Windows\system32\SQTECH905C.dll ==> No File.NETSVC: symtdi -> C:\Windows\system32\dladresn.dll ==> No File.NETSVC: oracleservicesecinst -> No Registry Path.NETSVC: freesshdservice -> C:\Windows\system32\wwsecsvc.dll ==> No File.NETSVC: mf -> C:\Windows\system32\HssDrv.dll ==> No File.NETSVC: NuidFltr -> C:\Windows\system32\sis315.dll ==> No File.NETSVC: s716bus -> C:\Windows\system32\tcsd_win32.exe.dll ==> No File.NETSVC: nuvvid2 -> C:\Windows\system32\puscsrvc.dll ==> No File.NETSVC: pid_0928 -> C:\Windows\system32\pctavsvc.dll ==> No File.NETSVC: pctavsvc -> C:\Windows\system32\lvusbsta.dll ==> No File.NETSVC: tpkd -> C:\Windows\system32\asusgsb.dll ==> No File.NETSVC: IntuitUpdateService -> C:\Windows\system32\ptserial.dll ==> No File.NETSVC: alcan5wn -> C:\Windows\system32\mohfilt.dll ==> No File.NETSVC: oracleorahomeagent -> C:\Windows\system32\nvstor64.dll ==> No File.NETSVC: vpn5000service -> C:\Windows\system32\PSDNServ.dll ==> No File.NETSVC: gmer -> No Registry Path.2014-10-29 18:28 - 2014-05-29 19:34 - 00000005 _____ () C:\Windows\system32\lMMLDeleteUserData42107612FX.tmpC:\ProgramData\8f48m6.datC:\Users\Owner\msndata.datCustomCLSID: HKU\S-1-5-21-18420745-2485514510-2176100773-1000_Classes\CLSID\{15ea6566-467f-42ae-85d7-0ef80306cbdc}\localserver32 -> C:\Users\Owner\AppData\Local\Temp\{8b1670c8-dc4a-4ed4-974b-81737a23826b}\IDriver.NonElevated.exe No  (the data entry has 4 more characters).CustomCLSID: HKU\S-1-5-21-18420745-2485514510-2176100773-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?end

• Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  > XP users click run after receipt of Windows Security Warning - Open File.
  > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.




Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.

• Press the + R on your keyboard at the same time.
• A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
• In the shown window paste in the following script:
  

  https://forums.malwarebytes.org/index.php?/topic/159895-fff5eecom-honeymodappsrumors-infection/Suspect::[173]C:\Windows\system32\Drivers\AFS.sys

• Go to File menu and select Save as.
• Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
• Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Now drag your CFScript file and drop it onto the icon:
  
• This will start ComboFix. Let it run uninterrupted!
• A reboot may be needed during this run. Allow it.
• When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
Do not forget to turn on your previously switched-off protection software!

[spotldr]

ok. ran everything and malware isn't blocking anything, but I can't download anything.  pop up says your security settings do not allow this file to be downloaded.  same one from before.  I've been having to download everything from another computer via USB and transfer. 

 

still not figuring out the paste.  so log files attached below from farbar fix and the combofix . sorry

combofix.txt

Fixlog.txt

[Naathim]

Before we continue do the following:

 

Go to the C:\ drive and double-click the C:\CF-Submit.htm file.

[spotldr]

I sent the file and it was successful. I reset Internet Explorer and downloaded MSE. Turned it on with malwarebytes. So far, so good. Went on bing and noh in about blocking outbounds. Wow. How did you figure this out? Not trusting enough to enter any passwords yet, though. I'm usually very conservative, so not sure where or when I got infected. Perfect timeing for a Halloween scare. I prefer Orlando's version of a horror night.

[Naathim]

I'd like to take a fresh look now. The submitted file was clean



Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

• Right-click on icon and select Run as Administrator to start the tool.
  > XP users click run after receipt of Windows Security Warning - Open File.
  > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

[spotldr]

ok, so actually, the computer is not so great.  It won't let me go to the malwarebytes forum or outlook. I can click on other sites from bing, but not those and I can't go to yahoo or many of my favorites.  it does nothing.  just stays on the current site.  a blank screen if I try to set internet explorer to open to any of them.  So I'm back to the other computer to post again.

Addition.txt

FRST.txt

[spotldr]

I contacted Microsoft and all of a sudden everything seems to be working.  So Weird.  No way It was on their end or worked that fast.  My computer has to be haunted.

[spotldr]

5 internet explorers were running when I hit task manager.  Yep. something is off still.

[Naathim]

Hm.

Scan with Gmer

This type of scan often produces false positives. At any point do not take any action for any suspicious entries you may see there. Instead post the log to be analyzed.

Please download GMER by Gmer and save the file to your desktop.

It will come as a randomly named file (like a6ge38b4.exe) - that's absolutely normal.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

• Right-click on randomly named icon and select Run as Administrator to start the tool.
• It is very important that you do not use your computer while Gmer is running!
• Gmer will open to the Rootkit/Malware tab and perform an automatic quick scan.
• If you receive a warning about rootkit activity and are asked to fully scan your system click NO!

When the pre-scan is completed, please do the following:

• Please check in the Quick scan box.
• Please uncheck the IAT/EAT and Show All.
• Click Scan.
• If you see a rootkit warning window click OK.
• When the scan is finished, Save the results to your desktop as gmer.log.

Please include the content of this file in your next reply.

Don't forget to re-enable previously switched-off protection software!

If you encounter any problems, try running GMER in Safe Mode.

If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning.

[spotldr]

Here is the Gmer log.

gmer.log

[Naathim]

I have another similar case like yours. I'm consulting it with some experts and it may take a day or two more. Could you please do the following:

Scan with PCHunter

Please download PCHunter by Epoolsoft and save the file to your desktop.

It will come as a zipped file, so you'll have to unzip it before use. You may do it by right-clicking on its icon and choosing Extract All. Extract it to your desktop.

• Enter the PCHunter_free folder. You will see two versions of the tool there:

  > PCHunter32 for 32-bit Windows versions

  > PCHunter64 for 64-bit Windows versions

• Run the correct one by right-click on icon and select Run as Administrator.
• Navigate to the Examination tab.
• In the left panel, make sure that these are checked for reviiew:
  • Process
  • Kernel Module
  • Kernel
  • Ring0 hooks
  • Ring3 hooks
  • Network
  • Startup info
  • Other
• Press the Generate examination report button at the bottom.
• It is very important that you should not use your machine while the scan is in progress!
• When finished, press the Export examination report button at the bottom and save the file to your desktop (name it like PCHunterScan).

Please attach that file to your next reply.

To attach it:

- after typing in your message, click More reply options instead of Post.

- below the post preview and the post editor, you should be able to see Attach files option - please click Choose file.

- in the pop-up window navigate to the desktop. Choose the one named Application.zip and attach it.

If the file will be to big to attach it (it may happen), then please host it on a Dropbox account or a site like mediafire.com, providing me the link to the uploaded file.

[spotldr]

I hope I did this correct.

PCHunterScan.txt

[Naathim]

OK, I will go with those to experts. Please wait, I will come back once we will have something more.

[spotldr]

Just a FYI. It seems the other computer I was using to share the files from the infected computer is now infected with the dllhost.exe Com surrogate virus. And It won't let me download malwarebytes but MSE was running prior without detecting it..

[Naathim]

The other computer is infected?

Are they in the same network?

We're trying to rework the distribution of the Poweliks... What way you were sharing those files?

[spotldr]

I have the computers on the same Verizon fios modem and shared printers. I did disconnect the infected from wired and it doesn't have wifi. I was downloading the files via USB and transferring to the infected and coping the reports to the same USB and adding to my replies directly from the USB drive. Could the modem/router be infected. Malewarebytes found a Trojan when I did a custom root kit scan. I haven't even turned the original infected computer on or opened any emails but these and from my kids teachers.

[spotldr]

Should I give up and re install windows on the computers, or are they OK I'd malwarebytes and mse aren't finding or catching anything? Is there a special way to re install. I can't find the back up I made long ago and the other I never did. I don't have the drivers for it.

[Naathim]

Hello,

I'm very sorry for the delay. I am also surprised that nobody jumped in, as I reported my absence in the private room. Since some time has passed, please post back if you still require assistance. I am back online nad will do my best to help you.