Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Testendonline & who knows what else


  • This topic is locked This topic is locked
29 replies to this topic

#1 cedarrabbit

cedarrabbit

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 20 October 2011 - 04:45 PM

OS Windows Vista Basic 32bit.
I have an infection or multiple infections that I first noticed with browser redirecting to delivery.jemacpv.com/network/c/adclick.php?ad=YWR2ZXJ0aXNlcl9pZD0xMDQ5JmNhbXBhaWduX2lkPTI5NSZwdWJsaXNoZXJfaWQ9MTAwMyZjbGlja19jcGM9MC4wMDMwMCZyYW5rPTEmem9uZT0yJnVzZXJfaXA9NzUuMjI3LjEzNy4yMCZvZmZzZXQ9MCZjbGlja19pZD00ZGZhZTFlZGRjZWQ0MDU5ZTM2ZDVjNDFiZjBiOWM5OCZrZXl3b3JkPSZtYXRjaGVkX2tleXdvcmQ9JmFkX2NvdW50PTkmcGFnZV9yZWZlcnJlZD0mdXJsPWh0dHAlM0ElMkYlMkZ0ZXN0ZW5kb25saW5lLmNvbSUyRmQlMkZwaWQxMDAzdXMuY29tJmRhdGVzdGFtcD0yMDExLTEwLTE4IDA2OjE5OjQzJnB1Ymxpc2hlcl9jaGFubmVsX2lkcz0mY3h1X2lkPTAmY3h1a19pZD0w;26758104bc1bbf6476bf96595f9f4cc6 and then to hxxp://testendonline.com/d/p2i1d22419 with this message "Congratulations!
You are the Texas winner for October 13th (you are the Louisiana winner, etc)
Please select a prize and enter your email on the next page to claim."

It also changed settings on my computer, causes some programs to run sluggishly or not at all and I also get pop up messages from AVG about Exploit Blackhole Exploit Kit infections. Occasionally the computer crashes and restarts.
I tried to run Malwarebytes but it disappeared every time in just a few seconds. I ran rkill and it did the same thing. I tried them both in safemode and they seemed to do something, but then back in regular mode they did nothing.
Upon recommendation, I followed the Prep Guide to start this new post. I tried to do a backup but the program ended up with 396 errors so I just manually moved files to an external disk. I was unable to enable Windows Firewall. I ran Defogger but it did not ask me to reboot, so I guess I either don't have any CD emulation programs or it didn't work properly. I tried to run DDS which said that it should take no longer than 3 minutes. After 30 minutes it still did not give any results and my computer locked up. I restarted and tried again with the same result. I tried to run GMER and it opened up for a few seconds and then disappeared.
I tried OTL by OldTimer and it disappeared upon clicking "run scan".
I tried RSIT by random/random and it created only a "log.txt", not an "info.txt".
Here is the log.txt:
Logfile of random's system information tool 1.09 (written by random/random)
Run by Nathan at 2011-10-20 16:10:48
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 6 GB (8%) free of 75 GB
Total RAM: 2037 MB (50% free)


======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

=========Mozilla firefox=========

ProfilePath - C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\5pr7o2r9.default

prefs.js - "browser.search.useDBForOrder" - true
prefs.js - "browser.startup.homepage" - "http://www.email.ws/"
prefs.js - "keyword.URL" - "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q="

"{20a82645-c095-46ed-80e3-08825760534b}"=C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"=C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=C:\Program Files\AVG\AVG2012\Firefox4\
"{EB132DB0-A4CA-11DF-9732-0E29E0D72085}"=C:\Program Files\Object\facetheme


[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 10.1 Plugin
"Path"=C:\Windows\system32\Macromed\Flash\NPSWF32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=]
"Description"=iTunes Detector Plug-in
"Path"=

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=1.0]
"Description"=
"Path"=C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@ei.SmileyCentral_1v.com/Plugin]
"Description"=SmileyCentral Plugin
"Path"=C:\Program Files\SmileyCentral_1vEI\Installr\2.bin\NP1vEISB.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@google.com/npPicasa3,version=3.0.0]
"Description"=Picasa3 plugin
"Path"=C:\Program Files\Picasa2\npPicasa3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin]
"Description"=Oracle® Next Generation Java™ Plug-In
"Path"=C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5]
"Description"=Windows Presentation Foundation plug-in for Mozilla browsers
"Path"=C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647]
"Description"=RealPlayer™ LiveConnect-Enabled Plug-In
"Path"=c:\program files\real\realplayer\Netscape6\nppl3260.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647]
"Description"=RealJukebox Netscape Plugin
"Path"=c:\program files\real\realplayer\Netscape6\nprjplug.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.647]
"Description"=RealNetworks™ RealPlayer Chrome Background Extension Plug-In
"Path"=C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.647]
"Description"=RealPlayer™ HTML5VideoShim Plug-In
"Path"=C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647]
"Description"=12.0.1.647
"Path"=c:\program files\real\realplayer\Netscape6\nprpjplug.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=]
"Description"=
"Path"=

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"=Google Update
"Path"=C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"=Google Update
"Path"=C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\Adobe Reader]
"Description"=Handles PDFs in-place in Firefox
"Path"=C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd}
{AB2CE124-6272-4b12-94A9-7303C7397BD1}
{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}

C:\Program Files\Mozilla Firefox\components\
binary.manifest
browsercomps.dll
nppl3260.xpt
nsjsrealplayerplugin.xpt

C:\Program Files\Mozilla Firefox\plugins\
np-mswmp.dll
npdeployJava1.dll
nppdf32.dll
nppl3260.dll
npqtplugin.dll
npqtplugin2.dll
npqtplugin3.dll
npqtplugin4.dll
nprjplug.dll
nprpjplug.dll
QuickTimePlugin.class
WMP Firefox Plugin License.rtf
WMP Firefox Plugin RelNotes.txt

C:\Program Files\Mozilla Firefox\searchplugins\
amazondotcom.xml
bing.xml
eBay.xml
google.xml
wikipedia.xml
yahoo.xml

C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\5pr7o2r9.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b}
{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\5pr7o2r9.default\searchplugins\
conduit.xml
ixquick-https.xml
startpage-https.xml
web-search-powered-by-google.xml

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-09-05 63912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2011-05-27 386776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG2012\avgssie.dll [2011-09-27 2179936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64182481-4F71-486b-A045-B233BD0DA8FC}]
CescrtHlpr Object - C:\Program Files\facemoods.com\facemoods\1.4.17.10\bh\facemoods.dll [2011-05-23 265944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2011-08-23 305328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype Plug-In - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-11-22 1242504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-08-29 42272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - facemoods Toolbar - C:\Program Files\facemoods.com\facemoods\1.4.17.10\facemoodsTlbr.dll [2011-05-23 220888]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2011-08-23 305328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2006-11-28 98304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2006-11-28 106496]
"Persistence"=C:\Windows\system32\igfxpers.exe [2006-11-28 81920]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-10-27 815104]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2006-11-09 3784704]
"LtMoh"=C:\Program Files\ltmoh\Ltmoh.exe [2005-12-16 188416]
"NDSTray.exe"=NDSTray.exe []
"HWSetup"=C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [2006-11-01 413696]
"SVPWUTIL"=C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe [2006-01-18 421888]
"KeNotify"=C:\Program Files\TOSHIBA\Utilities\KeNotify.exe [2006-11-06 34352]
"TPwrMain"=C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [2006-12-20 411768]
"HSON"=C:\Program Files\TOSHIBA\TBS\HSON.exe [2006-12-07 55416]
"SmoothView"=C:\Program Files\Toshiba\SmoothView\SmoothView.exe [2006-12-11 448632]
"00TCrdMain"=C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [2006-12-15 530552]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2007-05-23 1862144]
"CarboniteSetupLite"=C:\Program Files\Carbonite\CarbonitePreinstaller.exe [2009-08-04 318096]
"MaxMenuMgr"=C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [2009-09-26 185640]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2007-04-03 644696]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2007-04-03 1603152]
"WD Anywhere Backup"=C:\Program Files\WD\WD Anywhere Backup\MemeoLauncher2.exe [2008-11-07 197856]
"AVG_TRAY"=C:\Program Files\AVG\AVG2012\avgtray.exe [2011-09-23 2404704]
"PAC207_Monitor"=C:\Windows\PixArt\PAC207\Monitor.exe [2007-12-10 323584]
"TkBellExe"=c:\program files\real\realplayer\Update\realsched.exe [2011-05-27 273544]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2011-06-06 937920]
"facemoods"=C:\Program Files\facemoods.com\facemoods\1.4.17.10\facemoodssrv.exe [2011-05-23 329432]
"Memeo Instant Backup"=C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe [2010-04-22 136416]
"Memeo AutoSync"=C:\Program Files\Memeo\AutoSync\MemeoLauncher2.exe [2010-04-16 144608]
"Memeo Send"=C:\Program Files\Memeo\Memeo Send\MemeoLauncher.exe [2010-07-20 236816]
"Seagate Dashboard"=C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe [2011-06-01 79112]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2011-06-09 254696]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2011-07-05 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2011-08-19 421736]
"Malwarebytes' Anti-Malware (reboot)"=D:\Malwarebytes' Anti-Malware\mbam.exe [2011-08-31 1047208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"=C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [2006-11-10 417792]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2010-12-11 39408]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2011-09-14 4611456]

C:\Users\Nathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\progra~1\google\google~1\goec62~1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2011-05-04 551296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-11-28 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2011-07-18 113024]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\TOSHIBA\ivp\NetInt\Netint.exe"="C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\TOSHIBA\Ivp\ISM\pinger.exe"="C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"VIDC.UYVY"=msyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.YVYU"=msyuv.dll
"VIDC.IYUV"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"VIDC.YVU9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"vidc.cvid"=iccvid.dll
"msacm.dvacm"=C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"MSVideo8"=VfWWDM32.dll
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"aux1"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 2 months======

2011-10-20 15:53:23 ----D---- C:\Program Files\trend micro
2011-10-20 15:53:20 ----D---- C:\rsit
2011-10-17 17:01:54 ----D---- C:\Program Files\Cobian Backup 10
2011-10-15 23:03:59 ----A---- C:\Windows\system32\mshtmled.dll
2011-10-15 23:03:58 ----A---- C:\Windows\system32\iertutil.dll
2011-10-15 23:03:55 ----A---- C:\Windows\system32\wininet.dll
2011-10-15 23:03:55 ----A---- C:\Windows\system32\ieui.dll
2011-10-15 23:03:54 ----A---- C:\Windows\system32\jscript9.dll
2011-10-15 23:03:54 ----A---- C:\Windows\system32\jscript.dll
2011-10-15 23:03:53 ----A---- C:\Windows\system32\urlmon.dll
2011-10-15 23:03:53 ----A---- C:\Windows\system32\jsproxy.dll
2011-10-15 23:03:52 ----A---- C:\Windows\system32\url.dll
2011-10-15 23:03:51 ----A---- C:\Windows\system32\ieframe.dll
2011-10-15 23:03:48 ----A---- C:\Windows\system32\mshtml.dll
2011-10-14 04:28:19 ----A---- C:\Windows\system32\psisdecd.dll
2011-10-14 04:28:14 ----A---- C:\Windows\system32\win32k.sys
2011-10-13 15:20:52 ----A---- C:\Windows\system32\UIAutomationCore.dll
2011-10-13 15:20:52 ----A---- C:\Windows\system32\oleaut32.dll
2011-10-13 15:20:52 ----A---- C:\Windows\system32\oleaccrc.dll
2011-10-13 15:20:52 ----A---- C:\Windows\system32\oleacc.dll
2011-10-12 17:08:23 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys
2011-10-12 17:06:48 ----ASH---- C:\hiberfil.sys
2011-10-08 11:29:44 ----D---- C:\ProgramData\WindowsSearch
2011-10-05 20:10:41 ----D---- C:\Program Files\MALWAREBYTES ANTI-MALWARE
2011-10-05 19:46:13 ----A---- C:\Windows\ntbtlog.txt
2011-10-05 18:23:59 ----A---- C:\RkillResults.txt
2011-10-05 17:31:52 ----D---- C:\Windows\Sun
2011-10-05 16:58:07 ----D---- C:\Users\Nathan\AppData\Roaming\SUPERAntiSpyware.com
2011-10-05 16:55:41 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2011-10-05 16:55:41 ----D---- C:\Program Files\SUPERAntiSpyware
2011-10-05 15:23:29 ----D---- C:\Users\Nathan\AppData\Roaming\Malwarebytes
2011-10-05 15:22:25 ----D---- C:\ProgramData\Malwarebytes
2011-10-05 15:22:21 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-10-05 15:22:21 ----A---- C:\Windows\system32\drivers\mbam.sys
2011-10-04 07:14:43 ----D---- C:\Windows\Minidump
2011-09-26 12:14:48 ----D---- C:\Users\Nathan\AppData\Roaming\AVG2012
2011-09-26 12:12:05 ----D---- C:\ProgramData\AVG2012
2011-09-20 16:48:42 ----D---- C:\Users\Nathan\AppData\Roaming\FileZilla
2011-09-20 16:48:24 ----D---- C:\Program Files\FileZilla FTP Client
2011-09-20 16:19:43 ----D---- C:\Program Files\FileZilla Server
2011-09-13 06:30:10 ----A---- C:\Windows\system32\drivers\avgrkx86.sys
2011-09-07 18:05:25 ----D---- C:\Program Files\iPod
2011-09-07 18:05:22 ----D---- C:\Program Files\iTunes
2011-09-05 07:05:08 ----D---- C:\Program Files\exPressit S.E. 2.2
2011-09-03 16:10:19 ----D---- C:\Program Files\Lexmark 1300 Series
2011-09-03 16:10:18 ----A---- C:\Windows\system32\LXDCinst.dll
2011-09-03 16:10:18 ----A---- C:\Windows\system32\LXDChcp.dll
2011-09-03 15:50:51 ----A---- C:\Windows\system32\lxdccoin.dll
2011-09-03 15:50:50 ----A---- C:\Windows\system32\lxdccfg.dll
2011-09-02 08:26:35 ----D---- C:\Program Files\Defraggler
2011-08-31 23:27:53 ----A---- C:\Program Files\exPressit S.E. 2.2.exe
2011-08-30 19:13:56 ----D---- C:\Program Files\US Digital Media
2011-08-29 11:59:31 ----D---- C:\ProgramData\Sun
2011-08-29 11:57:08 ----A---- C:\Windows\system32\deployJava1.dll
2011-08-29 11:57:06 ----A---- C:\Windows\system32\javaws.exe
2011-08-29 11:57:06 ----A---- C:\Windows\system32\javaw.exe
2011-08-29 11:57:05 ----A---- C:\Windows\system32\java.exe
2011-08-28 05:05:38 ----D---- C:\Users\Nathan\AppData\Roaming\Memeo
2011-08-28 05:05:10 ----D---- C:\Users\Nathan\AppData\Roaming\Seagate
2011-08-28 04:58:48 ----D---- C:\Program Files\Common Files\Memeo
2011-08-28 04:58:43 ----D---- C:\Program Files\Memeo
2011-08-24 06:51:46 ----A---- C:\Windows\system32\tzres.dll

======List of files/folders modified in the last 2 months======

2011-10-20 16:10:50 ----D---- C:\Windows\Temp
2011-10-20 16:08:17 ----D---- C:\Windows\inf
2011-10-20 16:04:43 ----D---- C:\Program Files\Common Files\Akamai
2011-10-20 16:04:06 ----D---- C:\Windows\system32\drivers
2011-10-20 15:53:23 ----RD---- C:\Program Files
2011-10-20 15:43:43 ----D---- C:\Users\Nathan\AppData\Roaming\Clip Art Collection
2011-10-20 09:28:08 ----D---- C:\ProgramData\MFAData
2011-10-20 09:28:04 ----D---- C:\Windows\system32\drivers\AVG
2011-10-20 03:00:31 ----SHD---- C:\System Volume Information
2011-10-19 21:07:23 ----D---- C:\Windows
2011-10-19 17:26:03 ----AD---- C:\Windows\System32
2011-10-19 10:28:36 ----D---- C:\Windows\Prefetch
2011-10-18 11:47:17 ----D---- C:\Program Files\Mozilla Firefox
2011-10-18 08:48:18 ----SHD---- C:\Windows\Installer
2011-10-16 06:13:11 ----D---- C:\Windows\winsxs
2011-10-16 06:12:24 ----D---- C:\Windows\Microsoft.NET
2011-10-16 06:11:53 ----RSD---- C:\Windows\assembly
2011-10-16 06:02:23 ----D---- C:\Windows\system32\catroot2
2011-10-16 06:00:32 ----D---- C:\Windows\system32\migration
2011-10-16 06:00:32 ----D---- C:\Program Files\Internet Explorer
2011-10-15 23:05:27 ----N---- C:\Windows\system32\mrt.exe
2011-10-15 23:04:41 ----D---- C:\Windows\system32\catroot
2011-10-15 23:02:22 ----D---- C:\Program Files\Windows Mail
2011-10-14 04:34:00 ----D---- C:\Windows\rescache
2011-10-14 03:48:39 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-10-13 14:53:33 ----D---- C:\Windows\Logs
2011-10-12 16:58:27 ----HD---- C:\ProgramData
2011-10-10 23:21:20 ----D---- C:\Windows\AppPatch
2011-10-10 10:05:24 ----D---- C:\Windows\system32\LogFiles
2011-10-04 09:39:48 ----D---- C:\Windows\system32\drivers\etc
2011-10-03 23:05:56 ----D---- C:\Users\Nathan\AppData\Roaming\Skype
2011-10-03 20:12:04 ----D---- C:\Users\Nathan\AppData\Roaming\skypePM
2011-09-26 12:06:39 ----D---- C:\Program Files\AVG
2011-09-22 18:17:42 ----D---- C:\Windows\system32\Tasks
2011-09-15 03:26:37 ----D---- C:\ProgramData\Microsoft Help
2011-09-15 03:10:09 ----D---- C:\Windows\Debug
2011-09-11 15:31:41 ----D---- C:\Users\Nathan\AppData\Roaming\gtk-2.0
2011-09-07 18:05:24 ----D---- C:\Program Files\Common Files\Apple
2011-09-07 17:34:42 ----D---- C:\Program Files\QuickTime
2011-09-02 08:22:21 ----D---- C:\Program Files\CCleaner
2011-08-30 19:13:55 ----HD---- C:\Program Files\InstallShield Installation Information
2011-08-29 11:59:18 ----D---- C:\Program Files\Common Files\Java
2011-08-29 11:55:24 ----D---- C:\Program Files\Java
2011-08-28 04:58:48 ----D---- C:\Program Files\Common Files
2011-08-28 04:58:11 ----D---- C:\Program Files\Seagate
2011-08-25 03:02:34 ----D---- C:\Windows\system32\en-US

That about wraps it up for what I've tried so far. Here is the link to the first post I made in "Am I infected? What am I to do?"
http://www.bleepingcomputer.com/forums/topic422912.html/page__gopid__2448752#entry2448752

Edited by Orange Blossom, 21 October 2011 - 12:56 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 25 October 2011 - 04:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/424365 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 cedarrabbit

cedarrabbit
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 26 October 2011 - 10:13 AM

All information on what is happening and what I've tried is in my first post. As per the HelpBot, I tried DDS again and it did not work. It scans for a bit and then the entire computer locks up (I left it for an hour to see if it would finish scanning) and I have to unplug it and restart. GMER still does not work either. When I double click the icon, it opens and disappears immediately. DeFogger runs but does not ask for reboot.
I use Windows Vista Home Basic 32bit. I do have the original CD.

#4 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:35 AM

Posted 28 October 2011 - 07:39 AM

Hi,

Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

jedi

Edited by jedi, 28 October 2011 - 07:40 AM.


#5 cedarrabbit

cedarrabbit
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 28 October 2011 - 10:29 PM

I downloaded and ran ComboFix as instructed. When I started it running, it said "ComboFix has expired. Click to run in Reduced Functionality Mode". It seemed to be running fine until it reached the place where it says "Preparing Log Report. Do not run any programs until ComboFix has finished." I left it for a couple of hours to give it time to finish but it never did. The computer locked up so I restarted it. Then I tried the whole thing over again and the same thing happened. I tried to find "C:\Combo-Fix.txt" but could not find it. I did find "ComboFix.txt" (without the dash) but it doesn't say much.
ComboFix 11-10-19.06 - Nathan 10/28/2011 17:12:06.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2037.1082 [GMT -5:00]
Running from: C:\Users\Nathan\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

- REDUCED FUNCTIONALITY MODE -

#6 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:35 AM

Posted 29 October 2011 - 08:44 AM

Hi again,

OK, delete the copy of Combofix you have and download a fresh copy from here:

ComboFix

Do not run it yet.

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable any anti-malware software you have installed so they do not interfere RKill running as some anti-malware software detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.
Now run Combofix:
Double click ComboFix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

jedi

#7 cedarrabbit

cedarrabbit
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 30 October 2011 - 09:32 AM

I tried this 3 times because Combofix would get to the place where it says "Scanning for infected files . . . This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double" and then just stay there until the computer locks up. I never could find a log for Combo-Fix. Rkill did create a log each time.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 10/29/2011 at 15:37:27.
Operating System: Windows Vista ™ Home Basic


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe


Rkill completed on 10/29/2011 at 15:39:00.

Second log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 10/29/2011 at 17:11:16.
Operating System: Windows Vista ™ Home Basic


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe


Rkill completed on 10/29/2011 at 17:11:29.


Third log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 10/29/2011 at 23:05:14.
Operating System: Windows Vista ™ Home Basic


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe


Rkill completed on 10/29/2011 at 23:05:53.

#8 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:35 AM

Posted 30 October 2011 - 03:12 PM

Hi again,

Restart in safe mode:
http://windows.microsoft.com/en-GB/windows-vista/Start-your-computer-in-safe-mode
and try Combofix again.

jedi

#9 cedarrabbit

cedarrabbit
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 31 October 2011 - 05:48 PM

I ran Combofix in safe mode, left it for a couple of hours and it never left the "scanning for infected files" window.

#10 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:35 AM

Posted 02 November 2011 - 05:51 AM

OK, please do the following:

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
jedi

#11 cedarrabbit

cedarrabbit
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 02 November 2011 - 11:26 PM

When I clicked on the Kaspersky link provided, I got an error message "550 No such file or directory", so I went to Kaspersky.com and downloaded it. It may be a different version than the one referred to in your instructions because it didn't quite seem to be as you described. It did run, however. It said it would take 1 day to complete, but then it did the Disinfection and restarted my computer automatically after about 3 or 4 hours. That made me wonder if it didn't finish and whether I should run it again. Since the reports choices didn't look quite like you described them, I wasn't sure which one I should save. "Detected" and "Events" seemed to be the same report, so that's what I am posting. Please let me know if it's the right one. There was no prompt to uninstall the program. My computer is still sluggish but it seems that the search redirection has stopped.
Status: Deleted (events: 5)
11/2/2011 1:33:56 PM Deleted Trojan program Trojan-Dropper.Win32.Injector.idh C:\Documents and Settings\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\232d5f28-1e44b9aa High
11/2/2011 1:33:59 PM Deleted Trojan program Trojan-Dropper.Win32.Injector.flv C:\Documents and Settings\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\372cd5b9-6c28b7be High
11/2/2011 2:17:38 PM Deleted Trojan program Backdoor.Win32.IRCNite.cgo C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsole.exe High
11/2/2011 3:28:00 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Windows\2727300787:1286697053.exe High
11/2/2011 4:19:30 PM Deleted Trojan program Rootkit.Win32.ZAccess.j c:\Windows\System32\drivers\avgtdix.sys High

#12 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:35 AM

Posted 03 November 2011 - 04:13 AM

Hi again,

Good, the Kaspersky tool has removed files that are essential for the rootkit to run, we should make some progress now:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
jedi

#13 cedarrabbit

cedarrabbit
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 03 November 2011 - 11:02 PM

46 Infected files
Here's what was in C:\Program Files\EsetOnlineScanner\log.txt:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

Here's the list of threats:
C:\Program Files\SoftonicDownloader_for_zscreen.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\Program Files\SmileyCentral_1vEI\Installr\2.bin\1vEIPlug.dll a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Users\Nathan\AppData\LocalLow\OurBabyMaker_27EI\Installr\Cache\02C271E3.exe a variant of Win32/Toolbar.MyWebSearch.O application cleaned by deleting - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\qpe7f0qn.default\Cache\D1EBCD72d01 Win32/Toolbar.MyWebSearch application deleted - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\qpe7f0qn.default\Cache\6E5830EDd01 HTML/ScrInject.B.Gen virus deleted - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\jZipV1c.exe multiple threats deleted - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\lasvegasusacasino.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\Nero_BackItUpAndBurn-1.0.5.exe Win32/Toolbar.AskSBar application deleted - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\Setup.exe Win32/Adware.LoudMo.D application deleted - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\VegasCasinoOnline.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\VLCSetup.exe a variant of Win32/Adware.HotBar.G application cleaned by deleting - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\WebfettiSetup2.3.64.2.ZKfox000.exe a variant of Win32/Toolbar.MyWebSearch.O application cleaned by deleting - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\XvidSetup.exe a variant of Win32/Adware.HotBar.G application cleaned by deleting - quarantined
E:\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\CursorMania.exe Win32/Toolbar.MyWebSearch application deleted - quarantined
E:\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\5pr7o2r9.default\Cache\1522667Cd01 JS/TrojanClicker.Agent.NCQ trojan cleaned by deleting - quarantined
E:\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\5pr7o2r9.default\Cache\E84D11F7d01 a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
E:\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\5pr7o2r9.default\Cache\B\56\CC17Fd01 HTML/ScrInject.B.Gen virus deleted - quarantined
E:\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\LocalLow\OurBabyMaker_27EI\Installr\Cache\02C271E3.exe a variant of Win32/Toolbar.MyWebSearch.O application cleaned by deleting - quarantined
E:\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\3a54d5-6edff676 a variant of Win32/Kryptik.TCW trojan cleaned by deleting - quarantined
E:\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\232d5f28-1e44b9aa Win32/Sirefef.CZ trojan cleaned by deleting - quarantined
E:\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\372cd5b9-6c28b7be a variant of Win32/Kryptik.TJH trojan cleaned by deleting - quarantined
E:\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\Desktop\SoftonicDownloader_for_zscreen.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
E:\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\lasvegasusacasino.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
E:\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\Nero_BackItUpAndBurn-1.0.5.exe Win32/Toolbar.AskSBar application deleted - quarantined
E:\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\Setup.exe Win32/Adware.LoudMo.D application deleted - quarantined
E:\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\VegasCasinoOnline.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
E:\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\WebfettiSetup2.3.64.2.ZKfox000.exe a variant of Win32/Toolbar.MyWebSearch.O application cleaned by deleting - quarantined
F:\WDDrive1\Mozilla Firefox\plugins\NPMyWebS.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\lasvegasusacasino.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\Nero_BackItUpAndBurn-1.0.5.exe Win32/Toolbar.AskSBar application deleted - quarantined
F:\WDDrive1\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\Setup.exe Win32/Adware.LoudMo.D application deleted - quarantined
F:\WDDrive1\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\VegasCasinoOnline.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup3\Memeo\My WD_Backup3\C_\Users\Nathan\Downloads\WebfettiSetup2.3.64.2.ZKfox000.exe a variant of Win32/Toolbar.MyWebSearch.O application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\qpe7f0qn.default\Cache\6E5830EDd01 HTML/ScrInject.B.Gen virus deleted - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\qpe7f0qn.default\Cache\D1EBCD72d01 Win32/Toolbar.MyWebSearch application deleted - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\CursorMania.exe Win32/Toolbar.MyWebSearch application deleted - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\jZipV1c.exe multiple threats deleted - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\lasvegasusacasino.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\Nero_BackItUpAndBurn-1.0.5.exe Win32/Toolbar.AskSBar application deleted - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\Setup.exe Win32/Adware.LoudMo.D application deleted - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\VegasCasinoOnline.exe a variant of Win32/CasOnline application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\VLCSetup.exe a variant of Win32/Adware.HotBar.G application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\WebfettiSetup2.3.64.2.ZKfox000.exe a variant of Win32/Toolbar.MyWebSearch.O application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup4\Memeo\My WD_Backup4\C_\Users\Nathan\Downloads\XvidSetup.exe a variant of Win32/Adware.HotBar.G application cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\5pr7o2r9.default\Cache\1522667Cd01 JS/TrojanClicker.Agent.NCQ trojan cleaned by deleting - quarantined
F:\WDDrive1\My WD_Backup6\Memeo\My WD_Backup6\C_\Users\Nathan\AppData\Local\Mozilla\Firefox\Profiles\5pr7o2r9.default\Cache\E84D11F7d01 a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined

#14 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:35 AM

Posted 04 November 2011 - 02:19 PM

Hi again,

Let's see if that has freed Combofix to run.

Delete the copy of Combofix on your desktop.

1. Download this file -
ComboFix
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

jedi

#15 cedarrabbit

cedarrabbit
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 04 November 2011 - 10:25 PM

Ran ComboFix & left it on "Scanning for infected files . . . This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double". When I came back 5 hours later, nothing had changed. No log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users