Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whitesmoke


  • This topic is locked This topic is locked
74 replies to this topic

#1 jurassicpark421

jurassicpark421

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:59 AM

Posted 22 May 2013 - 10:27 PM

ZeroAccess Rootkit virus

 

Was helped by Broni on this issue.
 
I was trying to download a pdf file and in the midst picked something up.
Couldn't log into AOL or Facebook, and kept getting redirected even when trying to use Google.
 
He prompted me to the TDDS and have attached the two notepad log's given. I was told it is the ZeroAccess Rootkit virus

 

 
My original post can be found here:

http://www.bleepingcomputer.com/forums/t/495523/whitesmoke-cannot-sign-into-aol-or-facebook/

 

 

TDDS Documents

 

1.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 1.6.0_20
Run by Administrator at 23:06:51 on 2013-05-22
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.2812.1421 [GMT -4:00]
.
AV: Microsoft Forefront Client Security *Enabled/Outdated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Forefront Client Security *Enabled/Outdated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\BetterSoft\OptimizerPro\OptimizerPro.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\ProgramData\FLEXnet\Connect\11\agent.exe
C:\Windows\system32\SearchIndexer.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\7-Zip\7zFM.exe
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: CoonntinuuetiosaaVe: {0DAD4EA2-8158-A4EE-6CD6-1BF952CBD5BF} - c:\programdata\coonntinuuetiosaave\519cf81d529af.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.0.318\McAfeeMSS_IE.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: coontinouuetosoAve: {5F28EB38-68F4-2EA9-7E9E-D2A9F3A4FF90} - c:\programdata\coontinouuetosoave\519cfe142b4e0.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Dragon NaturallySpeaking Rich Internet Application Support - Extension: {73A89C60-CF59-4EC7-9215-9B7EF05ECEA4} - c:\program files\nuance\naturallyspeaking12\program\ieshim.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\yontoo\YontooIEClient.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [ISUSPM] c:\programdata\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WideSearch] c:\users\administrator\appdata\local\widesearch\wsearch.exe
uRun: [DownBook] "c:\users\administrator\appdata\local\downbook\DownBook.exe" 676fa760e6c8ab34acfd54d31ae93ecd 6
mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISUSPM] c:\programdata\flexnet\connect\11\\isuspm.exe -scheduler
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking12\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking12\Ereg.ini"
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{6820F125-E122-4338-AF0C-4A13BB6E84D2} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{6820F125-E122-4338-AF0C-4A13BB6E84D2}\131364850373233343530343 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{6820F125-E122-4338-AF0C-4A13BB6E84D2}\2516D61646160245F6D637022596675627 : DHCPNameServer = 192.168.7.1
TCP: Interfaces\{6820F125-E122-4338-AF0C-4A13BB6E84D2}\E465436374 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{85CDDB5C-653D-4636-8BD2-C9DDE03A5380} : DHCPNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-7-5 176128]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2012-7-18 310232]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-7-20 16896]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-2-12 71424]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-3-11 62464]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.318\McCHSvc.exe [2013-2-5 235216]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-12-7 14848]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-3-11 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2012-12-7 24064]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-12-7 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-12-7 27136]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-3-11 112640]
S3 vm3dmp;vm3dmp;c:\windows\system32\drivers\vm3dmp.sys [2010-2-11 70704]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2010-2-11 11440]
.
=============== Created Last 30 ================
.
2013-05-23 02:34:08 -------- d-----w- c:\users\administrator\appdata\roaming\Malwarebytes
2013-05-23 02:33:52 -------- d-----w- c:\programdata\Malwarebytes
2013-05-23 02:33:49 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-23 02:33:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-23 02:33:03 -------- d-----w- c:\users\administrator\appdata\local\Programs
2013-05-23 01:12:37 8192 ----a-w- c:\program files\windows defender\en-us\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\PCBenchmarkSetup[1].exe
2013-05-22 22:19:20 -------- d-----w- c:\users\administrator\appdata\roaming\NCdownloader
2013-05-22 20:36:43 -------- d-----w- c:\programdata\Browser Manager
2013-05-22 17:21:33 -------- d-----w- c:\users\administrator\appdata\local\DownBook
2013-05-22 17:21:23 -------- d-----w- c:\users\administrator\appdata\local\Babylon
2013-05-22 17:21:19 -------- d-----w- c:\users\administrator\appdata\roaming\Babylon
2013-05-22 17:21:19 -------- d-----w- c:\programdata\Babylon
2013-05-22 17:21:15 -------- d-----w- c:\users\administrator\appdata\local\WideSearch
2013-05-22 16:52:40 -------- d-----w- c:\programdata\CoonntinuuetiosaaVe
2013-05-22 16:38:03 -------- d-----w- c:\program files\Conduit
2013-05-22 16:37:57 -------- d-----w- c:\users\administrator\appdata\local\Conduit
2013-05-22 16:37:43 -------- d-----w- c:\users\administrator\appdata\local\CRE
2013-05-22 16:37:04 -------- d-----w- c:\programdata\StarApp
2013-05-22 16:36:56 -------- d-----w- c:\programdata\BetterSoft
2013-05-22 16:35:27 -------- d-----w- c:\programdata\coontinouuetosoAve
2013-05-22 16:34:51 -------- d-----w- c:\programdata\InstallMate
2013-05-20 06:09:13 56200 ----a-w- c:\programdata\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{bc7a8021-e334-46e3-a174-78e28748cee4}\offreg.dll
2013-05-18 06:11:00 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-17 20:59:49 262552 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-05-17 20:59:37 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2013-05-17 20:59:37 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2013-05-17 20:59:36 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2013-05-17 20:59:36 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2013-05-17 20:59:36 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2013-05-17 20:59:36 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2013-05-17 20:59:36 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2013-05-17 20:59:35 411368 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2013-05-17 20:59:35 26520 ----a-w- c:\program files\mozilla firefox\plugin-hang-ui.exe
2013-05-17 20:59:35 209472 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2013-05-17 00:33:15 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-17 00:33:15 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-17 00:33:14 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-17 00:33:07 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-17 00:33:07 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-17 00:32:59 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-17 00:32:59 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-17 00:32:58 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-11 10:37:28 209472 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2013-04-24 14:28:33 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
==================== Find3M  ====================
.
2013-05-17 02:15:13 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-17 02:15:13 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-08 06:10:12 770384 ----a-w- c:\windows\system32\msvcr100.dll
2013-05-08 06:10:12 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-05 05:28:24 1767424 ----a-w- c:\windows\system32\wininet.dll
2013-04-05 05:26:26 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-04-05 05:26:21 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-04-05 05:26:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-04-05 03:38:25 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe
.
============= FINISH: 23:08:47.85 ===============
 

 

 

2nd

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 12/7/2012 2:57:25 PM
System Uptime: 5/22/2013 10:51:23 PM (1 hours ago)
.
Motherboard: TOSHIBA |  | Portable PC
Processor: AMD Athlon™ II Dual-Core M300 | Socket S1G3 | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 266.795 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\TOS1901\2&DABA3FF&2
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1901\2&DABA3FF&2
Service:
.
==== System Restore Points ===================
.
RP40: 5/22/2013 8:50:24 PM - Restore 1
RP41: 5/22/2013 9:35:19 PM - Restore Operation
.
==== Installed Programs ======================
.
7-Zip 4.65
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.03)
Adobe Shockwave Player 11.6
Apple Application Support
Apple Software Update
CoonntinuuetiosaaVe
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DivX Setup
Dragon NaturallySpeaking 12
Google Chrome
Google Earth Plug-in
Google Update Helper
Java Auto Updater
Java™ 6 Update 20
Malwarebytes Anti-Malware version 1.75.0.1300
McAfee Security Scan Plus
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Forefront Client Security Antimalware Service
Microsoft Forefront Client Security State Assessment Service
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
OGA Notifier 2.0.0048.0
OptimizerPro
PhotoScape
QuickTime
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
Skype™ 6.0
SoulSeek 157 NS 13e
swMSM
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
VC80CRTRedist - 8.0.50727.6195
VLC media player 2.0.1
Yontoo 1.10.03
.
==== Event Viewer Messages From Past Week ========
.
5/22/2013 12:59:05 PM, Error: Service Control Manager [7030]  - The Datamngr Coordinator service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
5/22/2013 11:06:12 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk1\DR2.
5/22/2013 10:56:52 PM, Error: FcsSas [10006]  - Forefront Client Security State Assessment Service policy applied with errors. Reverted to the following settings: Schedule Type: Interval Time: 12 Parameter:
5/22/2013 10:51:53 PM, Error: Service Control Manager [7000]  - The Sendoriv1 service failed to start due to the following error:  The system cannot find the file specified.
5/22/2013 1:27:04 PM, Error: Service Control Manager [7031]  - The Microsoft Forefront Client Security Antimalware Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 15000 milliseconds: Restart the service.
5/22/2013 1:27:03 PM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
5/21/2013 1:23:25 PM, Error: Tcpip [4199]  - The system detected an address conflict for IP address 0.0.0.0 with the system having network hardware address 00-00-00-00-00-00. Network operations on this system may be disrupted as a result.
5/18/2013 2:41:26 PM, Error: volsnap [36]  - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
5/17/2013 12:18:27 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "109" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
5/17/2013 12:18:26 PM, Error: Service Control Manager [7000]  - The Google Update Service (gupdate) service failed to start due to the following error:  The pipe has been ended.
.
==== End Of File ===========================


Edited by jurassicpark421, 23 May 2013 - 11:15 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:59 AM

Posted 22 May 2013 - 10:36 PM


Hello jurassicpark421

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jurassicpark421

jurassicpark421
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:59 AM

Posted 23 May 2013 - 10:55 AM

Hi there and thank you for your assistance!

 

I have loaded the two programs you mentioned above to my flashdrive, but my computer will not allow me to open or run them. Instead, Internet Security ( no idea where that came from ) is not allowing it.

 

Can I try this on safe mode or something?


Edited by jurassicpark421, 23 May 2013 - 10:56 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:59 AM

Posted 23 May 2013 - 01:38 PM

yes try in safe mode and let me know if it works


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:59 AM

Posted 26 May 2013 - 12:30 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 jurassicpark421

jurassicpark421
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:59 AM

Posted 30 May 2013 - 06:45 PM

SO sorry, I had a family emergency and was not able to do any of this. I am going to work on this as we speak. Will respond soon.



#7 jurassicpark421

jurassicpark421
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:59 AM

Posted 30 May 2013 - 06:58 PM

Ok, I am able to get to the F8 menu but now my keyboard won't let me select safe mode.Whn I get to the normal windows, my mouse is wonky as well....hooked up a mouse but my keyboard will not work at all....


Edited by jurassicpark421, 30 May 2013 - 07:12 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:59 AM

Posted 30 May 2013 - 11:36 PM


Hello jurassicpark421

download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jurassicpark421

jurassicpark421
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:59 AM

Posted 31 May 2013 - 10:16 AM

Darn, I tried to hit f8 and cannot select with my keyboard...So I tried F12 and the Launch Startup Repair was already highlighted so I just let the computer do that?

 

Seems like whatever infected my PC has taken the keyboard ( possible? )

 

Right now I have to flashdrive hooked up and startup repair is scanning..but don't think this is really what you wanted me to do.

 

By the way, thank you SO much for this



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:59 AM

Posted 31 May 2013 - 11:03 AM

no but let it finish and try again
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jurassicpark421

jurassicpark421
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:59 AM

Posted 31 May 2013 - 12:23 PM

Again, I cannot use the keyboard at all. So when I do F12, luckily, the Launch StartUp Repair is the one highlighted.

 

When I do start windows normally to try and open the programs you gave me which are on a flashdrive, Internet Security shuts them down. It shuts everything down, even if I try to open something in the Control Panel.

 

How can I try to do the steps given to me in safe mode if I cannot select with the arrow keys? Any other ways? The only things I can do with the keyboard is use the F8 or F12 keys...this is very frustrating! :(

 

I will let you know what it says when the start up repair finishes



#12 jurassicpark421

jurassicpark421
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:59 AM

Posted 31 May 2013 - 12:40 PM

Right:

 

Startup Repair cannot repair this computer automatically: Sending more information can help microsoft creat solutions.

 

>Send Info

>Don't Send

 

View problem details....



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:59 AM

Posted 31 May 2013 - 08:26 PM

Hello

I want you to download this program from a clean computer and rename it to Iexplorer.exe

Rename combofix:

Please download Combofix from one of these locations:
  • Link 1
    Link 2
    Link 3

    You must rename it before saving it... Rename it: IEexplorer.exe . See images below. Save it to your desktop.
CFOpen.gif

CFRen.gif
  • Please disable any Antivirus and Firewall you have active, as shown in this topic. Please close all open application windows.

    Double click on IExplorer.exe & follow the prompts.
    • Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
      Do Not touch your computer when ComboFix is running!
    When finished,Notepad will open and ComboxFix will produce a log file.
    Please copy/paste the contents of this log in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 jurassicpark421

jurassicpark421
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:59 AM

Posted 31 May 2013 - 10:17 PM

 I tried renaming it on my working computer, but then when I tried to open it on the infected pc, Internet Security again won't let me open it.

 

I will try again with safe mode...but don't think my keys will work :(


Edited by jurassicpark421, 01 June 2013 - 11:01 AM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:59 AM

Posted 31 May 2013 - 10:30 PM

do you have another computer or a friend that might help you download it


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users