Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seriously Infested Computer - Very Cautious


  • This topic is locked This topic is locked
42 replies to this topic

#1 Dave-Z

Dave-Z

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 02 November 2011 - 05:31 PM

Hello, (I thank you in advance for your assistance)

This is my first post in this forum, and have been dealing with a very problematic computer for months now. It has gone through 2 shipments to the manufacturer, with a system board replacement round 1 (was getting BUG_CODE errors, physical fault), then had to be resent to have software reloaded. (This second time they ended up changing my 540gb sata hdd for a 120gb ssd, never did give me a reason why, but the performance is worth the upgrade. Asus repair is just awful btw.) Ok, so having recently received my computer this latest return, it has Windows 7 operating system up and running, so ready to tackle other main issue:

Prior and/or during the debugging of my hardware problems, my computer became infected with a nasty concoction of virus/rootkit/nasties, what exactly I was never able to determine before the hardware issues took over. I know my nephew had downloaded something from a shareware group without my knowledge, and after running a scan, AVG found 3-5 items and labeled them trojans. I was very uninformed for someone who is technically capable usually, and that was my mistake, I grew too relaxed. I was using as my main login an admin account, was messing around in services, just fiddling where I shouldn't have been. That being said, I briefly came across this site while doing my initial virus searches, but was shortly incapacitated. After running malwarebytes and microsoft security essentials, the virus got 'angry', and started denying me access to services and mmc's. After not too long, it removed all access I had to the internet, disabling my network adapters, and even locked me out of my hard drive by re-writing my bios and enabling a password, then locking me out. That was when 2 months of returns began.

I should note that it is my strongest belief that this malware has infected and re-wrote the firmware or has thrown up an alternate front end, as I cannot reset to factory no matter what I do, and as soon as I power it up, I can see another network share turn on and off, always in synch with my manual powering. In the interum, I have connected through router via ethernet cable rather than go wireless, but I know whatever has infected me is utilizing my wireless adapters at this very moment, more on that.

I'd like to not only remove whatever has infected my computer and home network (It also got an old desktop of mine, Windows XP, which I have since destroyed), but also learn as much as I can about this attack along the way to be better protected and to understand the magnitude of this type of breach, data at risk, etc....

I have gone through about all of the posts, and likely confused myself by over-reading, but believe I have gotten off to a start, and will look to wait for advice before taking additional steps.

What really let me know how bad off my system was was when I ran HiJackThis, having already determined my system was compromised (from the very moment I powered it up from the factory, btw). Seeing all the defer commands, it is what has me looking to be thorough and methodical about this. I just can't trust a thing I see, or at least I don't know what I can and can't trust, which is just as bad. I mentioned above, but it is worth saying again, my computer was showing infection from the very first power up when I got this back from the factory. This is another reason I believe the router itself is compromised, but even though I have replaced my original, I can see plenty of others in this (Condo Complex) that show all the same signs. Feel like I'm powering up my computer in a nest of vipers, and short of physically removing my wireless adapters, I don't know of another way to protect myself when I first power on, especially since they have network sid's, etc...

Hopefully removing the infection will take care of it. I have run HiJack, SecurityCheck, SuperAntiSpyware and MalWareBytes. It was a devil to find a way to get HiJack to feed me the results, system is blocking a lot of the results, and I don't know if they are reporting true results, have a feeling they are not. Please see logs below.

I have downloaded as many of the pinned tools as I was able, and currently have Unhide, Spybot, RootKitBuster, Reanimator, LSPFix, gmer.zip, EmsisoftAntimalwareSetup.exe, Defogger.exe, CWShredder.exe, Combofix, ZoneAlarmFree and Adaware. None of these have been run or installed at this point.

Currently Installed Security software: TrendMicorTitanium 2012 (Active), MalwareBytes (not active), SuperAntiSpyware (not active, run in very limited safe mode, only followed instructions for it in this post: http://www.bleepingcomputer.com/forums/topic425832.html ) and HijackThis. Windows Firewall, even though I know it's not working properly).

My system is an ASUS G73JH-BST. It is running windows 7. I have not gone through bloatware uninstall at this point, not have I installed any software other than downloaded security updates as they come and Uninstalling the trend micro trial that came with it, installing new version of Trend Titanium, along with other AV software as mentioned above. Figure I'm running near to standard windows 7 install settings. SP1 has not been installed yet, though I am not holding back for any particular reason.

Core i7-720QM | 6 GB RAM [x3 2GB Kingston] | Intel 120gb SSDSA2CW120G3 | ATi Mobility Radeon HD 5870 | 1600x900 | Intel Wireless Advanced N 6250 Wireless | Intel 6250 WiMax Adapter | Atheros AR8131 ethernet

HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:46:16 PM, on 10/27/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\AsScrPro.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://asus.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg32.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~2\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg32.dll
O23 - Service: AFBAgent - Unknown owner - C:\Windows\system32\FBAgent.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\Partner.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TurboBoost - Intel® Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Intel® PROSet/Wireless WiMAX Service (WiMAXAppSrv) - Intel® Corporation - C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8974 bytes



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/02/2011 at 02:48 PM

Application Version : 5.0.1134

Core Rules Database Version : 7887
Trace Rules Database Version: 5699

Scan type : Complete Scan
Total Scan Time : 00:19:20

Operating System Information
Windows 7 Home Premium 64-bit (Build 6.01.7600)
UAC Off - Limited User

Memory items scanned : 267
Memory threats detected : 0
Registry items scanned : 68161
Registry threats detected : 0
File items scanned : 182929
File threats detected : 102

Adware.Tracking Cookie
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@xiti[1].txt [ Cookie:dave@xiti.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@atdmt[2].txt [ Cookie:dave@atdmt.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@advertising[2].txt [ Cookie:dave@advertising.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@pro-market[1].txt [ Cookie:dave@pro-market.net/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@serving-sys[1].txt [ Cookie:dave@serving-sys.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@doubleclick[1].txt [ Cookie:dave@doubleclick.net/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@microsoftsto.112.2o7[1].txt [ Cookie:dave@microsoftsto.112.2o7.net/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@yieldmanager[1].txt [ Cookie:dave@yieldmanager.net/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@statcounter[2].txt [ Cookie:dave@statcounter.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@liveperson[2].txt [ Cookie:dave@liveperson.net/hc/19452074 ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@adverts.creativemark.co[1].txt [ Cookie:dave@adverts.creativemark.co.uk/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@lucidmedia[1].txt [ Cookie:dave@lucidmedia.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@questionmarket[1].txt [ Cookie:dave@questionmarket.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@tribalfusion[1].txt [ Cookie:dave@tribalfusion.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@adinterax[2].txt [ Cookie:dave@adinterax.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@2o7[2].txt [ Cookie:dave@2o7.net/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@r1-ads.ace.advertising[1].txt [ Cookie:dave@r1-ads.ace.advertising.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@interclick[1].txt [ Cookie:dave@interclick.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@kontera[1].txt [ Cookie:dave@kontera.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@legolas-media[1].txt [ Cookie:dave@legolas-media.com/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@liveperson[1].txt [ Cookie:dave@liveperson.net/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@server.iad.liveperson[1].txt [ Cookie:dave@server.iad.liveperson.net/ ]
C:\USERS\DAVE\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@invitemedia[2].txt [ Cookie:dave@invitemedia.com/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@specificclick[1].txt [ Cookie:z@specificclick.net/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@ad.yieldmanager[2].txt [ Cookie:z@ad.yieldmanager.com/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@insightexpressai[1].txt [ Cookie:z@insightexpressai.com/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@revsci[2].txt [ Cookie:z@revsci.net/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@collective-media[1].txt [ Cookie:z@collective-media.net/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@atdmt[1].txt [ Cookie:z@atdmt.com/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@liveperson[1].txt [ Cookie:z@liveperson.net/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@liveperson[3].txt [ Cookie:z@liveperson.net/hc/19452074 ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@doubleclick[2].txt [ Cookie:z@doubleclick.net/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@server.iad.liveperson[1].txt [ Cookie:z@server.iad.liveperson.net/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@solvemedia[2].txt [ Cookie:z@solvemedia.com/ ]
C:\USERS\Z\AppData\Roaming\Microsoft\Windows\Cookies\Low\z@questionmarket[2].txt [ Cookie:z@questionmarket.com/ ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@AD.YIELDMANAGER[1].TXT [ /AD.YIELDMANAGER ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@ADS.UNDERTONE[2].TXT [ /ADS.UNDERTONE ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@ADSERVER.ADTECHUS[1].TXT [ /ADSERVER.ADTECHUS ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@ADSERVER.ZONEMEDIA[1].TXT [ /ADSERVER.ZONEMEDIA ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@APMEBF[1].TXT [ /APMEBF ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@IMRWORLDWIDE[2].TXT [ /IMRWORLDWIDE ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@MEDIAPLEX[2].TXT [ /MEDIAPLEX ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@REVSCI[2].TXT [ /REVSCI ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@TRACKING.DSMMADVANTAGE[1].TXT [ /TRACKING.DSMMADVANTAGE ]
C:\USERS\DAVE\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\DAVE@TRAFFICMP[1].TXT [ /TRAFFICMP ]
C:\USERS\Z\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\Z@AD.WSOD[2].TXT [ /AD.WSOD ]
C:\USERS\Z\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\Z@ADS.UNDERTONE[2].TXT [ /ADS.UNDERTONE ]
C:\USERS\Z\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\Z@C.ATDMT[2].TXT [ /C.ATDMT ]
C:\USERS\Z\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\Z@IMRWORLDWIDE[2].TXT [ /IMRWORLDWIDE ]
C:\USERS\Z\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\Z@INTERCLICK[1].TXT [ /INTERCLICK ]
C:\USERS\Z\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\Z@TRIBALFUSION[1].TXT [ /TRIBALFUSION ]
.ad.yieldmanager.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.ad.yieldmanager.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.c.atdmt.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.c.atdmt.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.insightexpressai.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.liveperson.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.liveperson.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.questionmarket.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.questionmarket.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.server.iad.liveperson.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.solvemedia.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.solvemedia.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.specificclick.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.tribalfusion.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
statse.webtrendslive.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.statcounter.com [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.2o7.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
.cmp.112.2o7.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]
server.iad.liveperson.net [ C:\USERS\Z\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\733NKLRI.DEFAULT\COOKIES.SQLITE ]


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8071

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/2/2011 3:10:11 PM
mbam-log-2011-11-02 (15-10-11).txt

Scan type: Quick scan
Objects scanned: 205095
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 Dave-Z

Dave-Z
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 03 November 2011 - 09:25 AM

Good Day,

I have an infected computer, and look forward to any assistance that can be provided. I will be attaching dds.txt and attach.txt. I did not try to run gmer, as the instructions asked not to run it on 64 bit systems. Should you need any further information from me, please do not hesitate to ask.

Thanks, and have a great day.

still learning how to read... sorry.

Merged posts. ~ OB

Edited by Orange Blossom, 03 November 2011 - 06:55 PM.


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 07 November 2011 - 05:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426056 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Dave-Z

Dave-Z
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 07 November 2011 - 09:13 PM

First, I would like to thank you in advance for your assistance, it is enormously appreciated. Please let me know if you need any more system specifics, hardware, software, etc.. I hope I have provided enough information in my initial post to get us started. One thing I realized is that I did not specify my OS version, it is Windows 7 Home Premium. I do have both a driver as well as a full windows Install disc, though it is named recovery disc... anyway, I did actually try a fresh install, but had to re-image, as neither the product key on the dvd sleeve, nor on my manufacturer's sticker on bottom of laptop would work. I was of 2 minds on reinstalling, either use a key utility which I found on CNET, or just call microsoft on reinstall and explain situation, from what I understand, it is a pretty simple thing to do, especially since nothing illegitimate is taking place, no worries.

I did download a generic 7 Home Prem DVD Install ISO, created dvd, and know it works, but since I created it while I know my computer was infected, I don't know if it can be trusted, or if anything I have backed up can be ever used again? The last thing I want to do is clean this computer up, then reinstall the malware all over again by using my iphone back-up data file or something else...

My other main concern is that I know from looking at processes, that my wireless cards are being used even though I have disabled them. Short of opening this laptop and physically removing them, is there any way I can confidently disable them, or should I not even bother?

I have not used my computer since I originally posted, so no major news to report other than what has been previously described. I did note I am unable to use Aero or change my desktop theme, and my keyboard lights are now not working. Believe drivers are being hijacked each time I restart, if not while I am working. Of course, a good level of paranoia accompanies this situation, so I may be making something out of nothing. Thank you again.

New Logs attached.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 AM

Posted 09 November 2011 - 06:31 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Okay, I don't see a very infected machine so let's see what we do have.

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#6 Dave-Z

Dave-Z
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 10 November 2011 - 03:34 AM

Hello M0le

I have run the scan and attached the log. Regarding the not very infected computer, please remember that this is a fresh factory image, only used for very few basics since reimaged. I hope I have not been self-defeating in my re-imaging, in that whatever malware I may have, it has not had time to get itself really back in place. If there is anything I can do that would 'flush it out', just let me know.

Thanks again for your help.

Dave

#7 Dave-Z

Dave-Z
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 10 November 2011 - 03:18 PM

Hello M0le,

I realized 1 thing, I had severely limited services in start-up, and perhaps that effected the prior scans? I restored normal start-up and re-ran DDS. I saw at the very top of Attach.txt that it now reports no restore points, where it earlier stated that some did exist... Just thought it might make a difference. I ran MBR again as well. Thanks again.

Dave

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 AM

Posted 10 November 2011 - 06:06 PM

I hope I have not been self-defeating in my re-imaging


If you've used a factory image then you have effectively removed any malware except maybe anything which rewrites the MBR. We've done a good check with aswMBR so let's just run TDSSKiller.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Just in case any of your files were infected and you then backed them up and transferred after the reimaging please scan online with ESET

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#9 Dave-Z

Dave-Z
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 10 November 2011 - 09:24 PM

Ok, both TDSS and ESET have been run. Nothing from TDSS, opencandy and installcore.d found by eset. Thank you.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 AM

Posted 11 November 2011 - 02:33 PM

Yes, just some infected files.

I am assuming the machine is running fine at the moment too?
Posted Image
m0le is a proud member of UNITE

#11 Dave-Z

Dave-Z
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 11 November 2011 - 05:08 PM

Hi M0le. I'm working on it. Managed to get wireless up, still having issues with some drivers. Intel Turbo, my keyboard function keys and lights to name a few. (Interestingly, they come on briefly at POST, then go out, so they work, but haven't wanted to reinstall drivers during this process.)

Also wondering if I should be concerned about my hijackthis log? It's showing processes being run by an -unknown owner- and many core (file missing) notices. This may just be normal, I'm not sure, if so, great. My biggest fear was/is that I had a virus in the memory/mbr/manuf system partition or something, and it was just reinstalling itself each time I re-imaged. I'll toss up the latest log, hopefully just a regular annotation I'm just not familiar with, and not a lot of remote access happening.

Thanks for continued help!

Dave

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 AM

Posted 11 November 2011 - 06:04 PM

Also wondering if I should be concerned about my hijackthis log? It's showing processes being run by an -unknown owner- and many core (file missing) notices. This may just be normal, I'm not sure


Unknown owners here mean files which are not digitally signed. This does not automatically mean that they are malware and indeed that is the case here. The log shows no threats at all. File missing is a normal return for services on a HijackThis log and doesn't actually mean they are missing. If they were missing your machine would be disabled.

Do you have any other concerns?
Posted Image
m0le is a proud member of UNITE

#13 Dave-Z

Dave-Z
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 11 November 2011 - 07:05 PM

Have to say it is a great relief to get the all-clear. It's been a long few months. If you don't mind, a few quick questions.

If I have backed up data that may be during an active infection, is it all completely untrustworthy? (All backed up to DVDs currently) i.e game data, music, pictures, iPhone back-ups, apps, libraries?

If my machine info was retrieved in a prior infection, is there anything I should change or be overly cautious of to prevent re-infection? Am I more susceptible to being infected now?

Is there a suggested security set-up you would recommend moving forward? I am not a big fan of Windows firewall, but will use it if suggested.

I currently have a Trend Micro Pro AV Trial installed, but do not plan on continuing beyond the trial, was really something to slap on the machine asap after reimaging. Again, if you have a suggestion, or I go with something like AVG or MSE, well, without overdoing it, and also having malwarebytes to scan periodically, well, any suggestions you have for both set-up and un-install/re-install would be most welcome.

I hope this wasn't a waste of your time, but I want to thank you greatly, you have provided me with a safest feeling I've had since mid-summer. Once I get a good security set-up, I'll be whistling happily.

Regards,

Dave

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:47 AM

Posted 11 November 2011 - 07:42 PM

If I have backed up data that may be during an active infection, is it all completely untrustworthy? (All backed up to DVDs currently) i.e game data, music, pictures, iPhone back-ups, apps, libraries?

It's not all untrustworthy but if any of these files came from anywhere other than legitimate software then you might want to scan them with ESET


If my machine info was retrieved in a prior infection, is there anything I should change or be overly cautious of to prevent re-infection? Am I more susceptible to being infected now?

I have some information below which answers that one.

Is there a suggested security set-up you would recommend moving forward? I am not a big fan of Windows firewall, but will use it if suggested.

Info below, again.

I currently have a Trend Micro Pro AV Trial installed, but do not plan on continuing beyond the trial, was really something to slap on the machine asap after reimaging. Again, if you have a suggestion, or I go with something like AVG or MSE, well, without overdoing it, and also having malwarebytes to scan periodically, well, any suggestions you have for both set-up and un-install/re-install would be most welcome.

One antivirus, one antispyware and a standalone such as MBAM is the way to go. More info below...


I hope this wasn't a waste of your time, but I want to thank you greatly, you have provided me with a safest feeling I've had since mid-summer. Once I get a good security set-up, I'll be whistling happily.

Certainly not wasting my time. This is why I'm here. :)



Info,as promised...

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

Uninstall ComboFix

We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir - though if you choose Avira you should make sure that you uncheck the box offering to install the Ask toolbar. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#15 Dave-Z

Dave-Z
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:05:47 AM

Posted 11 November 2011 - 10:32 PM

Hi M0le. Two problems suddenly appeared, wireless connection console closing for no reason, and for some reason, I lost control of my vid display. Ati radeon, showing invalid digital signature on drivers tab, and any attempt to update is failing. As well, the main program for driver and vid properties has disappeared from my uninstall list. I reran driver install program, no change. Max resolution is 1152 x 864, unable to change. I have also uninstalled card in device manager, restarted, just keeps going back to same state. Just in case this is important, the driver/software package is ATI Catalyst WHQL.

Also having very long login times, as much as 5 minutes, especially when switching between logins.

This all started around the same time, shortly after I enabled my wireless adapter, not sure if it is coincidence. Wish I knew what was going on with this thing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users