Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MSE keeps detecting Trojan:JS/Medfos.B


  • This topic is locked This topic is locked
16 replies to this topic

#1 sipseal

sipseal

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 23 November 2012 - 08:54 AM

I keep getting popups from MSE every 5 minutes saying that "Detected threats are being cleaned. No action needed". When I look under the History tab on MSE, I find that the quarantined items are all Trojan:JS/Medfos.B. My DDS.txt log is below.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 1.6.0_29
Run by sipseal at 8:40:46 on 2012-11-23
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1963.384 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files (x86)\Panasonic\PNotif\PNotif.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\EtmService.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\System32\svchost.exe -k LPDService
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Panasonic\PPlanEx\opdoffsv.exe
C:\Program Files (x86)\Panasonic\pcinfo\PCInfoPi.exe
C:\Program Files (x86)\Panasonic\pcinfo\PCInfoSV.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Panasonic\Selsussv\selsussv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\SysWOW64\tskman.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Panasonic\Hotkey Appendix\HKeyApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Panasonic\PPlanEx\PPlanEx.exe
C:\Program Files\Panasonic\WSwitch\WSwitch.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Panasonic\OptiView\FS_ZOOMFilt.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Panasonic\PPopup\ppopup.exe
C:\Program Files\Panasonic\PPlanEx\ChgBmode.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Panasonic\Hotkey Appendix\hkeyapp.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Panasonic\WheelPad\Touchpad.exe
C:\Users\sipseal\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Panasonic\OptiView\ViewPnl.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Opera\opera.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Users\sipseal\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.nytimes.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [Google Update] "C:\Users\sipseal\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [tinlb] "C:\Windows\System32\rundll32.exe" "C:\Users\sipseal\AppData\Roaming\tinlb.dll",Import
mRun: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun: [Panasonic Hotkey Manager] C:\Program Files (x86)\Panasonic\Hotkey Appendix\HKEYAPP.EXE
mRun: [PCinfo] C:\Program Files (x86)\Panasonic\pcinfo\PcInfoUt.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
StartupFolder: C:\Users\sipseal\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\sipseal\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\sipseal\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\OPTIMI~1.LNK - C:\Program Files\Panasonic\OptiView\FS_ZOOMFilt.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PCINFO~1.LNK - C:\Program Files (x86)\Panasonic\PPopup\ppopup.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TOUCHP~1.LNK - C:\Program Files (x86)\Panasonic\WheelPad\Touchpad.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
uPolicies-Explorer: NoAutorun = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoAutorun = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{08B8ED23-201F-45B9-B756-36DFEA2AB2A9} : DHCPNameServer = 134.174.141.2 134.174.17.6
TCP: Interfaces\{3E2926BD-7107-4742-B8D6-F73FCFE2AADD} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3E2926BD-7107-4742-B8D6-F73FCFE2AADD}\0527F66796E6365647F677E60294E6E6028294E6E602C4F626269792 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{3E2926BD-7107-4742-B8D6-F73FCFE2AADD}\36F666665656F4 : DHCPNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SoundMAX] C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe /tray
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [PPlanEx] C:\Program Files\Panasonic\PPlanEx\PPlanEx.exe
x64-Run: [WSwitch] C:\Program Files\Panasonic\WSwitch\WSwitch.exe
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223}
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\sipseal\AppData\Roaming\Mozilla\Firefox\Profiles\4udgjyrw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/calendar/
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\sipseal\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Users\sipseal\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\sipseal\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll
FF - plugin: D:\Program Files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: D:\Program Files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: D:\Program Files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: D:\Program Files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: D:\Program Files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: D:\Program Files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: D:\Program Files\QuickTime\Plugins\npqtplugin7.dll
FF - ExtSQL: 2012-11-23 08:20; {56702f58-5620-4c32-a906-4271537ab80f}; C:\Users\sipseal\AppData\Roaming\Mozilla\Firefox\Profiles\4udgjyrw.default\extensions\{56702f58-5620-4c32-a906-4271537ab80f}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R2 ETMService;Intel® Dynamic Power Performance Management Service Application;C:\Windows\SysWOW64\etmservice.exe [2010-3-7 223768]
R2 HsfXAudioService;HsfXAudioService;C:\Windows\System32\svchost.exe -k HsfXAudioService [2009-7-13 27136]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-10-13 13336]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 128456]
R2 OPDOFFSV;Panasonic Opdoff Utility;C:\Program Files\Panasonic\PPlanEx\opdoffsv.exe [2010-3-7 636736]
R2 PcInfoPi;Panasonic PC Information Viewer Service 2;C:\Program Files (x86)\Panasonic\pcinfo\PcInfoPi.exe [2010-3-7 46912]
R2 PcInfoSV;Panasonic PC Information Viewer;C:\Program Files (x86)\Panasonic\pcinfo\PCInfoSV.exe [2010-3-7 235392]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-4-15 1153368]
R2 SELSUSSV;Panasonic USB Selective Suspend Manager;C:\Program Files (x86)\Panasonic\Selsussv\selsussv.exe [2010-3-7 76672]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-8-19 450848]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y62x64.sys [2010-3-7 287960]
R3 EtmCpu;EtmCpu;C:\Windows\System32\drivers\EtmDevCpu.sys [2010-3-7 32256]
R3 EtmDevGen;EtmDevGen;C:\Windows\System32\drivers\EtmDevGen.sys [2010-3-7 23552]
R3 EtmDrvMgr;EtmDrvMgr;C:\Windows\System32\drivers\EtmDrvMgr.sys [2010-3-7 58368]
R3 EtmFan;EtmFan;C:\Windows\System32\drivers\EtmDevFan.sys [2010-3-7 13824]
R3 EtmGmchMem;EtmGmchMem;C:\Windows\System32\drivers\EtmDevGmch.sys [2010-3-7 108032]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2010-3-7 5435904]
R3 NewMisc;Panasonic Misc Driver;C:\Windows\System32\drivers\nmisc64.sys [2010-3-7 66112]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]
S3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2010-3-7 292864]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2012-10-31 16776]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2012-10-31 9096]
S3 LVUVC64;Logitech Webcam C260(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2011-8-19 4869024]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-10 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-12 1255736]
SUnknown zwttqoru;zwttqoru; [x]
.
=============== Created Last 30 ================
.
2012-11-23 13:21:09 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D1E5EB3B-4094-481B-88E5-C044F270CD1B}\offreg.dll
2012-11-23 13:09:40 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D1E5EB3B-4094-481B-88E5-C044F270CD1B}\mpengine.dll
2012-11-22 22:44:16 579880 ----a-w- C:\Windows\System32\dsNcSmartCardProv.dll
2012-11-22 22:44:16 405288 ----a-w- C:\Windows\System32\dsNcCredProv.dll
2012-11-22 22:43:28 -------- d-----w- C:\Program Files (x86)\Juniper Networks
2012-11-22 22:42:48 -------- d-----w- C:\Users\sipseal\AppData\Roaming\Juniper Networks
2012-11-22 04:05:48 9125352 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-21 19:27:55 -------- d-----w- C:\Windows\rescache
2012-11-21 01:59:09 527360 ----a-w- C:\Users\sipseal\AppData\Roaming\tinlb.dll
2012-11-17 12:54:57 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2012-11-17 12:54:57 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2012-11-17 12:54:56 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2012-11-17 12:54:56 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2012-11-17 12:40:45 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2012-11-17 12:40:45 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2012-11-17 12:40:44 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2012-11-17 12:40:44 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2012-11-17 12:40:41 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2012-11-17 12:40:41 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2012-11-17 12:40:40 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2012-11-14 06:48:36 95744 ----a-w- C:\Windows\System32\synceng.dll
2012-11-14 06:48:36 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-11-02 03:56:19 -------- d-----w- C:\Program Files (x86)\DNASTAR
2012-11-01 22:40:38 -------- d-----w- C:\Users\sipseal\AppData\Local\DNASTAR
2012-11-01 22:18:00 -------- d-----w- C:\ProgramData\SafeNet Sentinel
2012-11-01 22:18:00 -------- d-----w- C:\ProgramData\DNASTAR
2012-11-01 12:08:45 -------- d-----w- C:\Users\sipseal\AppData\Roaming\PerformerSoft
2012-11-01 12:08:44 19000 ----a-w- C:\Windows\System32\roboot64.exe
2012-11-01 12:08:20 -------- d-----w- C:\Users\sipseal\AppData\Roaming\BitZipper
2012-11-01 01:22:10 9096 ----a-w- C:\Windows\System32\EuGdiDrv.sys
2012-11-01 01:22:10 3316736 ----a-w- C:\Windows\System32\BootMan.exe
2012-11-01 01:22:10 3316736 ----a-w- C:\Windows\System32\ BootMan.exe
2012-11-01 01:22:10 2468520 ----a-w- C:\Windows\SysWow64\BootMan.exe
2012-11-01 01:22:10 2468520 ----a-w- C:\Windows\SysWow64\ BootMan.exe
2012-11-01 01:22:10 19840 ----a-w- C:\Windows\SysWow64\EuEpmGdi.dll
2012-11-01 01:22:10 16776 ----a-w- C:\Windows\System32\epmntdrv.sys
2012-11-01 01:22:10 16256 ----a-w- C:\Windows\System32\EuEpmGdi.dll
2012-11-01 01:22:10 100232 ----a-w- C:\Windows\System32\setupempdrvx64.exe
2012-11-01 01:22:09 86408 ----a-w- C:\Windows\SysWow64\setupempdrv03.exe
2012-11-01 01:22:09 8456 ----a-w- C:\Windows\SysWow64\EuGdiDrv.sys
2012-11-01 01:22:09 14216 ----a-w- C:\Windows\SysWow64\epmntdrv.sys
2012-11-01 01:21:55 -------- d-----w- C:\Program Files (x86)\EaseUS
2012-10-29 11:07:21 96224 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2012-10-29 11:07:21 157272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe
2012-10-29 11:06:19 16192 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL
2012-10-29 11:06:19 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
2012-10-29 11:06:19 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
2012-10-29 11:06:19 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
2012-10-29 11:06:19 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
2012-10-29 11:06:19 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
2012-10-29 11:06:19 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
2012-10-29 11:06:19 159744 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
2012-10-29 11:06:19 103904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2012-10-29 11:06:18 476904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
.
==================== Find3M ====================
.
2012-10-18 18:25:58 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-10-08 11:31:03 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-10-08 11:23:52 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-10-08 11:22:55 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-10-08 11:18:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-10-08 11:17:35 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-10-08 11:13:33 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-10-08 07:56:24 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-10-08 07:48:03 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-10-08 07:47:44 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-10-08 07:44:05 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-10-08 07:43:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-10-08 07:40:56 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2012-09-30 00:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-14 19:19:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:28:53 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-31 18:19:35 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-08-31 02:03:48 228768 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2012-08-31 02:03:48 128456 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2012-08-30 18:03:45 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:12:02 3968880 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
.
============= FINISH: 8:41:32.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:20 PM

Posted 23 November 2012 - 10:02 AM

Hello sipseal, ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



Please follow the instructions below:


  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
  • Don't copy the word "quoted"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\temp\*.exe
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %Public%\Documents\Softwrap\YOYOGAMESGM70FINAL\*.exe
    %Public%\Documents\Fonts\*.exe
    %Public%\Documents\Config\*.exe
    %Public%\Documents\*.*
    %ProgramData%\*.*
    %ProgramData%\*.
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\ComObjects*.exe
    %commonprogramfiles(x86)%\*.*
    %programfiles%\*.*
    %programfiles%\*.
    %ProgramFiles(x86)%\*.*
    %ProgramFiles(x86)%\*.
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    dfsc.sys
    hlp.dat
    str.sys
    crexv.ocx
    /md5stop

  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
    • OTL.txt <-- Will be opened


Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#3 sipseal

sipseal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 23 November 2012 - 10:21 AM

Unfortunately the report did not open. I received the following error message:

Cannot create file "C:\users\sipseal\Desktop\cmd.bat"



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:20 PM

Posted 23 November 2012 - 10:32 AM

Hi,

Usually, it's happens only the first time.
Can you please restart the computer and try again...if no joy use the script below - it should works out:

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\temp\*.exe
%USERPROFILE%\AppData\Local\*.*
%USERPROFILE%\AppData\Local\*.
%USERPROFILE%\AppData\Local\temp\*.exe
%USERPROFILE%\AppData\Roaming\*.*
%USERPROFILE%\AppData\Roaming\*.
%Public%\Documents\Softwrap\YOYOGAMESGM70FINAL\*.exe
%Public%\Documents\Fonts\*.exe
%Public%\Documents\Config\*.exe
%Public%\Documents\*.*
%ProgramData%\*.*
%ProgramData%\*.
%CommonProgramFiles%\*.*
%CommonProgramFiles%\ComObjects*.exe
%commonprogramfiles(x86)%\*.*
%programfiles%\*.*
%programfiles%\*.
%ProgramFiles(x86)%\*.*
%ProgramFiles(x86)%\*.
%systemroot%\system32\config\systemprofile\AppData\Local\*.*
%systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
%windir%\SysWOW64\config\systemprofile\AppData\Local\*.*
%windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
%windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
%windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
%windir%\temp\*.exe
%windir%\*.
%windir%\installer\*.
%windir%\system32\*.
%windir%\sysnative\*.
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\syswow64\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\syswow64\drivers\*.sys /90
%systemroot%\syswow64\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /rp /s
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\GAC\*.ini
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%SystemRoot%\assembly\GAC_MSIL\*.ini
wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] /s
HKEY_CURRENT_USER\Software\MSOLoad /s
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
consrv.dll
services.exe
explorer.exe
lsass.exe
svchost.exe
wininit.exe
winlogon.exe
userinit.exe
atapi.sys
iaStor.sys
serial.sys
volsnap.sys
disk.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
csc.sys
tcpip.sys
dfsc.sys
hlp.dat
str.sys
crexv.ocx
/md5stop



Regards,
Georgi

Edited by B-boy/StyLe/, 23 November 2012 - 10:32 AM.

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#5 sipseal

sipseal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 23 November 2012 - 11:12 AM

Here are the contents of OTL.txt:

http://pastebin.com/f6evsQKs

Another report was generated as Extras.txt:

http://pastebin.com/Qpxibmhj

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:20 PM

Posted 24 November 2012 - 03:55 AM

Hi,


We need to run an OTL Fix



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :OTL
    MOD - [2012/11/20 20:59:10 | 000,527,360 | ---- | M] () -- C:\Users\sipseal\AppData\Roaming\tinlb.dll
    FF - prefs.js..extensions.enabledAddons: {56702f58-5620-4c32-a906-4271537ab80f}:2.0.14
    [2010/03/21 18:05:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\sipseal\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
    [2012/11/23 08:20:40 | 000,002,391 | ---- | M] () (No name found) -- C:\Users\sipseal\AppData\Roaming\mozilla\firefox\profiles\4udgjyrw.default\extensions\{56702f58-5620-4c32-a906-4271537ab80f}.xpi
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\S-1-5-21-3866111677-935689091-1683429776-1001..\Run: [tinlb] C:\Users\sipseal\AppData\Roaming\tinlb.dll ()
    [2010/05/12 06:04:13 | 000,000,000 | -HSD | M] -- C:\Windows\system32\%APPDATA%
    [2011/08/11 07:45:57 | 000,000,000 | -HSD | M] -- C:\Windows\sysnative\%APPDATA%
    :commands
    [emptytemp]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.
  • Now can you please go to C:\_OTL\MovedFiles and right click on the folder, select send to compressed(zip) folder that will make a zipped copy of this folder.
  • Then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.
  • After that please delete the zip files you just created.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#7 sipseal

sipseal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 November 2012 - 10:01 AM

Thank you for your reply. I have submitted the .zip file.

All processes killed
========== OTL ==========
Releasing module C:\Users\sipseal\AppData\Roaming\tinlb.dll
C:\Users\sipseal\AppData\Roaming\tinlb.dll moved successfully.
Prefs.js: {56702f58-5620-4c32-a906-4271537ab80f}:2.0.14 removed from extensions.enabledAddons
C:\Users\sipseal\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} folder moved successfully.
C:\Users\sipseal\AppData\Roaming\mozilla\firefox\profiles\4udgjyrw.default\extensions\{56702f58-5620-4c32-a906-4271537ab80f}.xpi moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_USERS\S-1-5-21-3866111677-935689091-1683429776-1001\Software\Microsoft\Windows\CurrentVersion\Run\\tinlb deleted successfully.
File C:\Users\sipseal\AppData\Roaming\tinlb.dll not found.
Folder C:\Windows\system32\%APPDATA%\ not found.
Folder C:\Windows\sysnative\%APPDATA%\ not found.
File ptytemp] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 11242012_095441

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Edited by sipseal, 24 November 2012 - 10:04 AM.


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:20 PM

Posted 24 November 2012 - 11:59 AM

Hello,


Nice work.
Can you please rerun OTL and post the newest log when done scanning?
Thanks! :)



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#9 sipseal

sipseal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 November 2012 - 02:13 PM

I wasn't sure if I was supposed to run the fix (the 2nd code you gave me) or the scan (the 1st)... I ran the fix. I hope that's the right one!

All processes killed
========== OTL ==========
Prefs.js: {56702f58-5620-4c32-a906-4271537ab80f}:2.0.14 removed from extensions.enabledAddons
Folder C:\Users\sipseal\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\ not found.
File C:\Users\sipseal\AppData\Roaming\mozilla\firefox\profiles\4udgjyrw.default\extensions\{56702f58-5620-4c32-a906-4271537ab80f}.xpi not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_USERS\S-1-5-21-3866111677-935689091-1683429776-1001\Software\Microsoft\Windows\CurrentVersion\Run\\tinlb deleted successfully.
File C:\Users\sipseal\AppData\Roaming\tinlb.dll not found.
Folder C:\Windows\system32\%APPDATA%\ not found.
Folder C:\Windows\sysnative\%APPDATA%\ not found.
File ptytemp] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 11242012_140820

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Edited by sipseal, 24 November 2012 - 02:16 PM.


#10 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:20 PM

Posted 24 November 2012 - 03:33 PM

Hi,


No, I meant to have you run a new scan (not fix) with otl as described here. :)



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#11 sipseal

sipseal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 24 November 2012 - 07:19 PM

Sorry for the confusion. Here it is:

http://pastebin.com/JB1XHnm9

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:20 PM

Posted 25 November 2012 - 04:49 AM

Hi,


Good. The log is clean.
How are the things now?


Next let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.
You can run these scans at night when you are not there and the computer is idle.



STEP 1



Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


STEP 2


  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



STEP 3


I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


STEP 4



Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


STEP 5



Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#13 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:20 PM

Posted 28 November 2012 - 07:17 AM

Hi,


Are you still with me?



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#14 sipseal

sipseal
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 28 November 2012 - 08:05 AM

Yes I am! Sorry for the delay, it's taking me some time to get to doing all the scans. Thanks for your help so far!

#15 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,387 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:20 PM

Posted 28 November 2012 - 04:18 PM

Hi,


Thank you for letting me know. :)


Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users