Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ZeroAccess rootkit.


  • This topic is locked This topic is locked
38 replies to this topic

#1 hpnutty

hpnutty

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 08 December 2012 - 07:04 PM

Redirected here via Broni from this thread, MSE service stopped for a PC infected with ZeroAccess rootkit malware.

Problem Summary
Observed computer running MSE states "Security Essentials isn't monitoring your pc because the program's service has stopped". You should restart it now." after daughter downloaded "Deer Drive". MBAM full scan was run and found Trojan.0Access and Rootkit.0Access issues among others which were removed but problem still exists (log below). MSE will not uninstall, computer will not start in SAFE MODE, ActiveX Windows Update from MSN site will not run and neither will Windows Restore. Lastly, something has hijacked search from IE8, redirecting me from GOOGLE through diggerview.com to other "search" engines: http://63.209.69.107/search/web/, livesearch.com, http://beesq.net/find_1.php?k= etc.

I should add that my wife tried to extract the malware earlier this week. She could not recreate what she did.

Logs associated with other scans and processes - SecurityCheck, FSS, MiniToolBar, MBAM (twice), MBAM anti-rootkit, aswBAR, etc. that I performed are available in the other thread. The first log in this thread is the DDS scan. DDS.TXT follows and ATTACH.TXT is zipped and attached as attach.zip

DDS Scan
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_37
Run by Dad at 17:56:45 on 2012-12-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2174 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Ask Toolbar: {4641532D-5636-006A-76A7-7A786E7484D7} -
BHO: PlayFizz Platinum Content Add-on: {757FAD76-20D9-4973-BD64-9208ED0A0624} - c:\documents and settings\rachel\local settings\application data\fizzplatinum\FizzPlatinumBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {4641532D-5636-006A-76A7-7A786E7484D7} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {4641532D-5636-006A-76A7-7A786E7484D7} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
mRunOnce: [Z1] c:\downloads\malwarebytes\mbar\mbar\mbar.exe /cleanup /s
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Search - ?p=ZKxdm021YY99
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1354658634203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209596290476
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{0039EF62-CFA7-4B15-8EFD-41F09CE7F747} : DHCPNameServer = 192.168.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC} - c:\program files\pixiepack codec pack\InstallerHelper.exe
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2012-11-28 166600]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-12-8 35144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DlinkUDSMBus;DlinkUDSMBus;c:\windows\system32\drivers\dlinkudsmbus.sys --> c:\windows\system32\drivers\DlinkUDSMBus.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-11-24 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-11-24 8456]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-12-08 14:25:16 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-12-08 13:03:43 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-08 11:52:43 -------- d-----w- c:\documents and settings\dad\local settings\application data\AskPartnerNetwork
2012-12-08 03:17:01 -------- d-----w- C:\6dcad03d9ea95c2e1d7bc7d92bce
2012-12-08 02:41:45 -------- d-----w- c:\documents and settings\dad\local settings\application data\PCHealth
2012-12-04 18:29:41 -------- d-----w- c:\documents and settings\all users\application data\3CA46B87AAF2344B00003CA42EE93A09
2012-12-04 18:28:57 61440 ---ha-w- c:\windows\system32\asr_nsta.dll
2012-12-04 04:40:04 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4e801a85-7b51-48bc-9b86-8a9e4def5054}\mpengine.dll
2012-12-03 16:54:53 -------- d-----w- c:\program files\Oberon Media SIDR
2012-12-03 16:54:48 -------- d-----w- c:\program files\common files\Oberon Media
2012-12-03 16:54:11 -------- d-----w- c:\program files\The Weather Channel
2012-12-03 16:54:04 -------- d-----w- c:\documents and settings\all users\application data\Oberon Media
2012-12-03 16:53:37 -------- d-----w- c:\program files\Ask.com
2012-12-03 16:53:33 -------- d-----w- c:\program files\AskPartnerNetwork
2012-12-03 16:53:33 -------- d-----w- c:\documents and settings\all users\application data\AskPartnerNetwork
2012-12-03 16:53:18 -------- d-----w- c:\documents and settings\all users\application data\APN
2012-12-02 22:30:50 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-11-24 15:57:50 -------- d-----w- C:\4c5352c0703dfd705f09357521
2012-11-24 15:57:26 -------- d--h--w- c:\windows\msdownld.tmp
2012-11-24 15:57:09 -------- d-----w- c:\program files\Microsoft
2012-11-24 15:48:07 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-11-24 15:45:09 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-24 15:13:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-24 15:13:35 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-24 14:03:02 2468520 ----a-w- c:\windows\system32\BootMan.exe
2012-11-24 14:03:02 2468520 ----a-w- c:\windows\system32\¸´¼þ BootMan.exe
2012-11-24 14:03:02 19840 ----a-w- c:\windows\system32\EuEpmGdi.dll
2012-11-24 14:03:00 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2012-11-24 14:02:58 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2012-11-24 14:02:55 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2012-11-24 14:02:42 -------- d-----w- c:\program files\EaseUS
2012-11-24 09:48:37 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-11-24 05:35:33 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2012-11-30 04:43:17 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-30 04:43:17 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-24 15:13:20 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-10-22 08:37:31 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
.
============= FINISH: 18:00:08.75 ===============

Security Check Log

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
Java™ 6 Update 37
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (3.5.13) Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials msseces.exe
MalwareFix12-8-2012 securitycheck SecurityCheck.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 12% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


Thank you for your response in advance!

Attached Files


Edited by hpnutty, 08 December 2012 - 07:41 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:29 PM

Posted 08 December 2012 - 08:03 PM

Hello hpnutty ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



STEP 1



Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


STEP 2


  • Please download RogueKiller and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#3 hpnutty

hpnutty
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 08 December 2012 - 08:22 PM

Hello Georgi! Thanks so much for your help and I look forward to working with you.

TDSSKiller identified 7 items and did not offer a "CURE" option, so I skipped and captured the log. The editor said it was too long to post so I have attached it as TDSSKiller.2.8.15.0_08.12.2012_19.09.34_log.txt

Running Rougekiller now...

Attached Files



#4 hpnutty

hpnutty
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 08 December 2012 - 08:40 PM

RougeKiller was run but I'm not sure the results you are looking for are in the results. The program did not create a file on the desktop. Clicking on "Report" could not create a report either. It did create a log file in a new RK_Quarantine folder called QuarantineReport.txt. Here are the contents of that file:

Time : 08/12/2012 19:28:35
--------------------------
ERROR [smss.exe.vir] -> C:
ERROR [csrss.exe.vir] -> C:
ERROR [winlogon.exe.vir] -> C:
ERROR [services.exe.vir] -> C:
ERROR [lsass.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [spoolsv.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [ctfmon.exe.vir] -> C:
ERROR [explorer.exe.vir] -> C:
ERROR [smss.exe.vir] -> C:
ERROR [csrss.exe.vir] -> C:
ERROR [winlogon.exe.vir] -> C:
ERROR [services.exe.vir] -> C:
ERROR [lsass.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [spoolsv.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [svchost.exe.vir] -> C:
ERROR [ctfmon.exe.vir] -> C:

Besides the items above from the Processes tab the program found these other items:

Registry
Type: HJPOL, Global: HKLM Key:SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]System Value: DisableTaskMgr Data: 0
Type: HOSTS, Global: HKLM Key:SYSTEM\currentControlSet\services\Tcpip\Parameters Value: DataBasePath Data: C:

Nothing else was noted in the other tabs. I hope this helps.




#5 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:29 PM

Posted 09 December 2012 - 05:24 AM

Hello hpnutty, :)



Something went wrong with RogueKiller. I'll contact the developer about this issue.
Ok...let try another way to clean the infection.



Please follow the instructions below:


  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
  • Don't copy the word "quoted"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\Application Data\*.*
    %USERPROFILE%\Application Data\*.
    %USERPROFILE%\Local Settings\*.*
    %USERPROFILE%\Local Settings\temp\*.exe
    %USERPROFILE%\Local Settings\Temporary Internet Files\*.exe
    %USERPROFILE%\Local Settings\Application Data\*.*
    %AllUsersProfile%\*.*
    %AllUsersProfile%\Application Data\*.*
    %AllUsersProfile%\Application Data\*.
    %AllUsersProfile%\Application Data\Local Settings\*.*
    %AllUsersProfile%\Application Data\Local Settings\Temp\*.exe
    %ALLUSERSPROFILE%\Documents\My Music\*.exe
    %ALLUSERSPROFILE%\Documents\My Pictures\*.exe
    %ALLUSERSPROFILE%\Documents\My Videos\*.exe
    %ALLUSERSPROFILE%\Documents\*.exe
    %USERPROFILE%\My Documents\*.*
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\ComObjects*.*
    %PROGRAMFILES%\*.*
    %PROGRAMFILES%\*.
    %systemroot%\system32\config\systemprofile\*.*
    %systemroot%\system32\config\systemprofile\Application Data\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\Application Data\*.*
    %systemroot%\system32\config\systemprofile\\Local Settings\Temp\*.exe
    %systemroot%\system32\config\systemprofile\\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\LocalService\Application Data\*.*
    C:\Documents and Settings\LocalService\Local Settings\Application Data\*.*
    C:\Documents and Settings\LocalService\Local Settings\temp\*.exe
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\LocalService\Local Settings\*.*
    C:\Documents and Settings\LocalService\*.*
    C:\Documents and Settings\NetworkService\Application Data\*.*
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.*
    C:\Documents and Settings\NetworkService\Local Settings\temp\*.exe
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\*.exe
    C:\Documents and Settings\NetworkService\Local Settings\*.*
    C:\Documents and Settings\NetworkService\*.*
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\installer\*.
    %windir%\system32\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    svchost.exe
    explorer.exe
    userinit.exe
    winlogon.exe
    smss.exe
    lsass.exe
    atapi.sys
    iaStor.sys
    serial.sys
    disk.sys
    volsnap.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    tcpip.sys
    ipsec.sys
    hlp.dat
    str.sys
    crexv.ocx
    asr_nsta.dll
    /md5stop

  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
    • OTL.txt <-- Will be opened


Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#6 hpnutty

hpnutty
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 09 December 2012 - 08:14 AM

Hello Georgi,

OTL run and results pasted here: http://pastebin.com/LLK9YxK5

Extras log results pasted here: http://pastebin.com/jWSjiVj9

Regards,
Hpnutty

Edited by hpnutty, 09 December 2012 - 08:36 AM.


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:29 PM

Posted 09 December 2012 - 09:04 AM

Hi,



We need to run an OTL Fix



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :OTL
    PRC - [2012/11/28 05:29:42 | 000,166,600 | ---- | M] (APN LLC.) -- C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
    PRC - [2012/11/28 05:29:35 | 001,259,720 | ---- | M] (APN) -- C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
    SRV - [2012/11/28 05:29:42 | 000,166,600 | ---- | M] (APN LLC.) [Auto | Running] -- C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe -- (APNMCP)
    IE - HKU\S-1-5-21-515967899-436374069-682003330-1003\..\SearchScopes\{9FD7B12B-8182-467C-8403-093A78AB6A0C}: "URL" = http://asksearch.ask.com/redirect?client=ie&src=crm&tb=FAS-V6&o=APN10484&locale=en_US&apn_uid=4884D236-8DAE-4735-B08C-050CF22415E2&apn_ptnrs=^ALL&apn_dtid=^zzz004^YY^US&apn_dbr=ie_8.0.6001.18702&itbv=11.3.0.581&doi=2012-12-03&q={searchTerms}&
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Ask Toolbar) - {4641532D-5636-006A-76A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\FAS-V6\Passport.dll (APN LLC.)
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {4641532D-5636-006A-76A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\FAS-V6\Passport.dll (APN LLC.)
    O3 - HKU\S-1-5-21-515967899-436374069-682003330-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {4641532D-5636-006A-76A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\FAS-V6\Passport.dll (APN LLC.)
    O4 - HKLM..\Run: [ApnTBMon] C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe (APN)
    O8 - Extra context menu item: &Search - ?p=ZKxdm021YY99 File not found
    O36 - AppCertDlls: autoetup - (C:\WINDOWS\conisync.dll) - File not found
    O36 - AppCertDlls: fixmpsrv - (C:\WINDOWS\system32\asr_nsta.dll) - C:\WINDOWS\system32\asr_nsta.dll ()
    SafeBootMin: 01148452.sys - Driver
    SafeBootMin: 56399631.sys - Driver
    SafeBootMin: 94742161.sys - Driver
    SafeBootMin: MCODS - Reg Error: Value error.
    SafeBootNet: 01148452.sys - Driver
    SafeBootNet: 56399631.sys - Driver
    SafeBootNet: 94742161.sys - Driver
    [2012/12/08 05:52:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad\Local Settings\Application Data\AskPartnerNetwork
    [2012/12/04 12:29:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\3CA46B87AAF2344B00003CA42EE93A09
    [2012/12/03 10:53:37 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
    [2012/12/03 10:53:33 | 000,000,000 | ---D | C] -- C:\Program Files\AskPartnerNetwork
    [2012/12/03 10:53:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork
    [2012/12/03 10:53:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\APN
    [2012/12/08 19:08:24 | 000,000,308 | -HS- | M] () -- C:\WINDOWS\tasks\UZWY.job
    [2012/11/23 23:24:04 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Dad\Application Data\4E2606
    2012/12/04 12:28:37 | 000,002,048 | -HS- | M] () -- C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\@
    [2012/12/05 15:20:47 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\L
    [2012/12/08 05:47:02 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\U
    [2012/12/07 22:53:15 | 000,000,804 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\L\00000004.@
    [2008/04/30 20:26:46 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
    [2012/12/03 10:53:37 | 000,000,000 | ---D | M] -- C:\Program Files\Ask.com
    [2012/12/03 10:53:33 | 000,000,000 | ---D | M] -- C:\Program Files\AskPartnerNetwork
    [2012/08/20 08:38:22 | 000,157,720 | ---- | M] () -- C:\WINDOWS\temp\GLF7DB.EXE
    @Alternate Data Stream - 364 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F2721624
    :files
    C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7
    xcacls.exe c:\windows\$ntuninstallkb38584$\1972644928 /p Administrators:f SYSTEM:f /y /c
    xcacls.exe c:\windows\$ntuninstallkb38584$\2233865118 /p Administrators:f SYSTEM:f /y /c
    xcacls.exe c:\windows\$ntuninstallkb38584$ /p Administrators:f SYSTEM:f /y /c
    fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$\1972644928 /c
    fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$\2233865118 /c
    fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$ /c
    rd /s/q C:\WINDOWS\$NtUninstallKB38584$ /c
    netsh winsock reset catalog /c
    ipconfig /flushdns /c
    :commands
    [resethosts]
    [emptytemp]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.
  • Now can you please go to C:\_OTL\MovedFiles and right click on the folder, select send to compressed(zip) folder that will make a zipped copy of this folder.
  • Then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.
  • After that please delete the zip files you just created.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#8 hpnutty

hpnutty
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 09 December 2012 - 09:31 AM

Georgi,

Below is the log produced from the OTL fix. I submitted the zipped file to the malware sample site per your request.
One thing to bring to your attention. I mentioned in my initial post that I could not enter Windows in Safe Mode. I determined that Windows was trying to display on a second monitor that is hooked up to this computer and not turned on. Removing the VGA cable from the computer allowed me to boot into Safe Mode.

OTC Fix #1 Log
All processes killed
========== OTL ==========
No active process named apnmcp.exe was found!
No active process named TBNotifier.exe was found!
Service APNMCP stopped successfully!
Service APNMCP deleted successfully!
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe moved successfully.
Registry key HKEY_USERS\S-1-5-21-515967899-436374069-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{9FD7B12B-8182-467C-8403-093A78AB6A0C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FD7B12B-8182-467C-8403-093A78AB6A0C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4641532D-5636-006A-76A7-7A786E7484D7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4641532D-5636-006A-76A7-7A786E7484D7}\ deleted successfully.
C:\Program Files\AskPartnerNetwork\Toolbar\FAS-V6\Passport.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{4641532D-5636-006A-76A7-7A786E7484D7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4641532D-5636-006A-76A7-7A786E7484D7}\ not found.
File V6\Passport.dll not found.
Registry value HKEY_USERS\S-1-5-21-515967899-436374069-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4641532D-5636-006A-76A7-7A786E7484D7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4641532D-5636-006A-76A7-7A786E7484D7}\ not found.
File V6\Passport.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ApnTBMon deleted successfully.
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe moved successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\autoetup deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\fixmpsrv deleted successfully.
C:\WINDOWS\system32\asr_nsta.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\01148452.sys\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\56399631.sys\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\94742161.sys\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\01148452.sys\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\56399631.sys\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\94742161.sys\ deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Application Data\AskPartnerNetwork\Toolbar\FAS-V6 folder moved successfully.
C:\Documents and Settings\Dad\Local Settings\Application Data\AskPartnerNetwork\Toolbar folder moved successfully.
C:\Documents and Settings\Dad\Local Settings\Application Data\AskPartnerNetwork folder moved successfully.
Folder C:\Documents and Settings\All Users\Application Data\3CA46B87AAF2344B00003CA42EE93A09\ not found.
C:\Program Files\Ask.com\Updater folder moved successfully.
C:\Program Files\Ask.com folder moved successfully.
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\FAS-V6 folder moved successfully.
C:\Program Files\AskPartnerNetwork\Toolbar\Updater folder moved successfully.
C:\Program Files\AskPartnerNetwork\Toolbar\FAS-V6\CRX folder moved successfully.
C:\Program Files\AskPartnerNetwork\Toolbar\FAS-V6 folder moved successfully.
C:\Program Files\AskPartnerNetwork\Toolbar folder moved successfully.
C:\Program Files\AskPartnerNetwork folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\Updater\11.3.0.0\2 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\Updater\11.3.0.0 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\Updater folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\templates\js folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\templates\css\images folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\templates\css folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\templates folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\search-suggestion folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\rebuttal\images folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\rebuttal folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\options\images folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets\options folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\widgets folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\tb_ux folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\lib\shims folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\lib folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\content_script\hack folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\content_script folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\youtube\1.0 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\youtube folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\wordoftheday folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\weather\3.0 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\weather folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\vk folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\video\2.0 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\video folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\toolbar-options folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\simple-email-list folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\search-box folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\radio\2.0 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\radio folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\orkut folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-voici folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-uol folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-ultimosegundo folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-todayinhistory folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-sportsru folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-sportsnl folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-programmetv folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-pbkdaily folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-nu-nl folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-newsru folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-mtv.it folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-lequipe folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-lemonde folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-lagazzettadellosport folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-kicker folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-g1 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-folha folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-financialtimes.de folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-financialtimes folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-expansion folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-elmundo folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-corrieredellasera folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-beppegrillo folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-bbcsports folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-bbc folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-ascom folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\netvibes-abc folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\map\1.0 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\map folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\games-feed folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\facebook\3.0 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\facebook folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\cnn\1.0 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\cnn folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\ask-homepage folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets\amazon-navigation folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\widgets folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\images\vanilla folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\images\search folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\images\logo folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\images folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin\css folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config\skin folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\config folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321\background folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX\5.32321 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6\CRX folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar\FAS-V6 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork\Toolbar folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork folder moved successfully.
C:\Documents and Settings\All Users\Application Data\APN\APN-Stub folder moved successfully.
C:\Documents and Settings\All Users\Application Data\APN folder moved successfully.
C:\WINDOWS\tasks\UZWY.job moved successfully.
C:\Documents and Settings\Dad\Application Data\4E2606 moved successfully.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\L folder moved successfully.
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\U folder moved successfully.
File C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7\L\00000004.@ not found.
C:\WINDOWS\assembly\Desktop.ini moved successfully.
Folder C:\Program Files\Ask.com\ not found.
Folder C:\Program Files\AskPartnerNetwork\ not found.
C:\WINDOWS\Temp\GLF7DB.EXE moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F2721624 deleted successfully.
========== FILES ==========
C:\RECYCLER\S-1-5-18\$9afba016c0f62a158d3d5a82f34e92b7 folder moved successfully.
< xcacls.exe c:\windows\$ntuninstallkb38584$\1972644928 /p Administrators:f SYSTEM:f /y /c >
C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
< xcacls.exe c:\windows\$ntuninstallkb38584$\2233865118 /p Administrators:f SYSTEM:f /y /c >
C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
< xcacls.exe c:\windows\$ntuninstallkb38584$ /p Administrators:f SYSTEM:f /y /c >
C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
< fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$\1972644928 /c >
Error: The file can not be accessed by the system.

C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
< fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$\2233865118 /c >
Error: The file can not be accessed by the system.

C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
< fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$ /c >
Error: Access is denied.

C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
< rd /s/q C:\WINDOWS\$NtUninstallKB38584$ /c >
C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
< netsh winsock reset catalog /c >
Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.
C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\downloads\MalwareFix12-8-2012\otl\cmd.bat deleted successfully.
C:\downloads\MalwareFix12-8-2012\otl\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Courtney
->Temp folder emptied: 17780062 bytes
->Temporary Internet Files folder emptied: 157915 bytes
->Java cache emptied: 3355025 bytes
->Flash cache emptied: 10429 bytes

User: Dad
->Temp folder emptied: 202939177 bytes
->Temporary Internet Files folder emptied: 4495553 bytes
->Java cache emptied: 13120351 bytes
->Flash cache emptied: 967 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Guest
->Temp folder emptied: 8031752 bytes
->Temporary Internet Files folder emptied: 244507796 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 2007 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 621671615 bytes
->Java cache emptied: 13 bytes
->Flash cache emptied: 175717 bytes

User: Natalie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 11930592 bytes

User: NetworkService
->Temp folder emptied: 56188 bytes
->Temporary Internet Files folder emptied: 9502854 bytes
->Java cache emptied: 2136 bytes
->Flash cache emptied: 150891 bytes

User: Peggy
->Temp folder emptied: 533 bytes
->Temporary Internet Files folder emptied: 3090718 bytes
->Flash cache emptied: 6481 bytes

User: Rachel
->Temp folder emptied: 443807 bytes
->Temporary Internet Files folder emptied: 98438 bytes
->Java cache emptied: 278367 bytes
->FireFox cache emptied: 42933065 bytes
->Flash cache emptied: 1121 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 6017041 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 90962087 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 224170930 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 22013647 bytes
RecycleBin emptied: 1044065 bytes

Total Files Cleaned = 1,458.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12092012_081019


Files\Folders moved on Reboot...
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\9VE1T34E\topic477856[1].html moved successfully.
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.


PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Regards,
Hpnutty




#9 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:29 PM

Posted 09 December 2012 - 09:45 AM

Hi hpnutty, :)



Go to Start => Run => type in CMD and hit Enter => Copy and paste the following command in the run box and click OK:

dir c:\ /aL /s > c:\junctionPoints.txt

Next please attach this file C:\junctionPoints.txt in your next reply. :)



Next let's try to fix the broken services.


Backup Your Registry




Now please download fix.reg and save it to your desktop.

Now double click on it. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Now reboot the computer.



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#10 hpnutty

hpnutty
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 09 December 2012 - 09:54 AM

Georgi,

I ran the DOS command, backed up the registry and ran the fix.reg file and rebooted the PC. Below is the junction.txt file:

Volume in drive C is c-drive
Volume Serial Number is 3C9E-344B


Directory of c:\WINDOWS

12/30/2008 10:20 PM <JUNCTION> $NtUninstallKB38584$
0 File(s) 0 bytes


Directory of c:\WINDOWS\assembly\GAC_32\System.EnterpriseServices

11/24/2012 10:24 AM <JUNCTION> 2.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes


Directory of c:\WINDOWS\assembly\GAC_MSIL\IEExecRemote

11/24/2012 10:23 AM <JUNCTION> 2.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes


Directory of c:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices

12/07/2012 09:43 PM <JUNCTION> v4.0_4.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes


Directory of c:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler

12/07/2012 09:26 PM <JUNCTION> v4.0_4.0.0.0__31bf3856ad364e35
0 File(s) 0 bytes


Total Files Listed:
0 File(s) 0 bytes
5 Dir(s) 376,958,984,192 bytes free


After the reboot I got two information messages, one that the epson printer service was blocked and one that the MSE anti-virus was disabled.

Regards,
Hpnutty

Edited by hpnutty, 09 December 2012 - 09:59 AM.


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:29 PM

Posted 09 December 2012 - 10:12 AM

Hi,



Please download copy of swxcacls.exe and save it to your desktop.

Copy of SWXCACLS.EXE into your C:\windows\system32 folder.

Once you have that, continue with the next steps.

Please click Start Menu > Run => type in CMD and hit Enter

Copy/paste the following text at the command prompt and press enter after each line:

cd c:\windows\system32

swxcacls "C:\WINDOWS\$NtUninstallKB38584$" /reset /q

fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$\1972644928

fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$\2233865118

fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$

rd /s /q c:\windows\$ntuninstallkb38584$

dir c:\ /aL /s > c:\junctionPoints2.txt

Next please attach this file C:\junctionPoints2.txt in your next reply.



After the reboot I got two information messages, one that the epson printer service was blocked and one that the MSE anti-virus was disabled.



This is because we fixed the broken services and they work again as it should. :)



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#12 hpnutty

hpnutty
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 09 December 2012 - 10:22 AM

Georgi,

fsutil reparsepoint delete c:\windows\$ntuninstallkb38584$\2233865118
Note: after I ran this command I got this message:
Error: The File or directory is not a reparse point.

Below are the contents of the junction2.txt file:

Volume in drive C is c-drive
Volume Serial Number is 3C9E-344B


Directory of c:\WINDOWS\assembly\GAC_32\System.EnterpriseServices

11/24/2012 10:24 AM <JUNCTION> 2.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes


Directory of c:\WINDOWS\assembly\GAC_MSIL\IEExecRemote

11/24/2012 10:23 AM <JUNCTION> 2.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes


Directory of c:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices

12/07/2012 09:43 PM <JUNCTION> v4.0_4.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes


Directory of c:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler

12/07/2012 09:26 PM <JUNCTION> v4.0_4.0.0.0__31bf3856ad364e35
0 File(s) 0 bytes


Total Files Listed:
0 File(s) 0 bytes
4 Dir(s) 376,848,130,048 bytes free





#13 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:29 PM

Posted 09 December 2012 - 10:56 AM

Hi,



That look a lot better:
Let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.
You can run these scans at night when you are not there and the computer is idle.
And then I'll give you my final recommendations.



STEP 1


Let's check for rootkits.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



STEP 2


Let's make sure that nothing reappeared...

  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



STEP 3



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


STEP 4


Let's get rid of all unwanted toolbar leftovers...


Download the adwCleaner
  • Run the Tool
    Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select the option
    Posted Image
  • Select the Delete button.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically.
  • A text file will open after the restart. Please post the content of that log file in your reply.


STEP 5


Let's get rid of all unwanted toolbar leftovers...

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


STEP 6


Let's make sure that my fix applied correctly

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


STEP 7


Let's make sure that my fix applied correctly

Please download MiniToolBox.exe by Farbar save it to your desktop and run it.

Checkmark the following checkboxes:

  • List content of Hosts
  • List Winsock Entries

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.



STEP 8


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ensppmond.dll
    conisync.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#14 hpnutty

hpnutty
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 09 December 2012 - 02:16 PM

FYI - As you know, these scans take some time and the first scan still running. Didn't want you to think I'm off doing something else! Thanks for your help.

#15 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:29 PM

Posted 09 December 2012 - 03:29 PM

Hi hpnutty,


Not a problem. I understand. No need to hurry - take your time. I want to be sure that we removed it completely from your system. :)



Regards,
Georgi
qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users