Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked by a ebay/paypal scammer?


  • Please log in to reply
21 replies to this topic

#1 bwrighttwo

bwrighttwo

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 14 January 2012 - 09:44 PM

Hello, Nov. 1st/2nd 2011 I was hacked into by a ebay scammer, I think. I think they came through my gmail acct. but am not sure. I think they may still have access. to my pc. There are a lot of files thaat look suspicious and can 't be removed. I have norton software and malware bytes. I block almost every tracking cookie I get but still think something is wrong . Thanks you for any advice nd will donate to your site if possible, for your help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 AM

Posted 14 January 2012 - 10:07 PM

Hello and welcome, I moved thos to the Am I Infected forum from Windows 7.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware


Now....
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 14 January 2012 - 10:27 PM

Windows will not let me save. I prob need to turn my security settings down, if so instructions please.

#4 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 14 January 2012 - 10:33 PM

I figured it out, will post when finished.

#5 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 14 January 2012 - 10:35 PM

MiniToolBox by Farbar
Ran by Buck (administrator) on 14-01-2012 at 22:32:11
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Atheros AR5B93 Wireless Network Adapter = Wireless Network Connection (Connected)
Broadcom NetLink ™ Gigabit Ethernet = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection 2" forwarding=disabled advertise=disabled mtu=1428 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Buck-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : C2-17-FE-3B-46-31
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR5B93 Wireless Network Adapter
Physical Address. . . . . . . . . : C4-17-FE-3B-46-31
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b0b7:1a22:fd7e:686d%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, January 14, 2012 10:16:37 PM
Lease Expires . . . . . . . . . . : Sunday, January 15, 2012 10:16:36 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 314841086
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-59-56-A5-00-26-2D-7E-FC-55
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : wistron.com
Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
Physical Address. . . . . . . . . : 00-26-2D-7E-FC-55
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Reusable ISATAP Interface {AFA6CC87-7972-4A75-A852-211BB9D13D4C}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:34f8:1a50:5907:b61b(Preferred)
Link-local IPv6 Address . . . . . : fe80::34f8:1a50:5907:b61b%20(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{D524DD04-9A01-48E1-9526-CCC23FF61AA2}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 72.14.204.99
72.14.204.147
72.14.204.104
72.14.204.103
72.14.204.105


Pinging google.com [72.14.204.105] with 32 bytes of data:
Reply from 72.14.204.105: bytes=32 time=70ms TTL=53
Reply from 72.14.204.105: bytes=32 time=78ms TTL=53

Ping statistics for 72.14.204.105:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 70ms, Maximum = 78ms, Average = 74ms
Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70
72.30.2.43
98.137.149.56
98.139.180.149


Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=126ms TTL=50
Reply from 98.137.149.56: bytes=32 time=118ms TTL=50

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 118ms, Maximum = 126ms, Average = 122ms
Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
16...c2 17 fe 3b 46 31 ......Microsoft Virtual WiFi Miniport Adapter
11...c4 17 fe 3b 46 31 ......Atheros AR5B93 Wireless Network Adapter
10...00 26 2d 7e fc 55 ......Broadcom NetLink ™ Gigabit Ethernet
1...........................Software Loopback Interface 1
22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
20...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.2 281
192.168.1.2 255.255.255.255 On-link 192.168.1.2 281
192.168.1.255 255.255.255.255 On-link 192.168.1.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.2 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
20 58 ::/0 On-link
1 306 ::1/128 On-link
20 58 2001::/32 On-link
20 306 2001:0:4137:9e76:34f8:1a50:5907:b61b/128
On-link
11 281 fe80::/64 On-link
20 306 fe80::/64 On-link
20 306 fe80::34f8:1a50:5907:b61b/128
On-link
11 281 fe80::b0b7:1a22:fd7e:686d/128
On-link
1 306 ff00::/8 On-link
20 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 10 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [193824] (Apple Inc.)
x64-Catalog5 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog5 10 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/14/2012 10:23:29 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 10:23:29 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 10:23:29 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 10:23:29 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 08:56:06 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 08:56:06 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 08:56:06 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 08:56:06 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 08:56:06 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/14/2012 08:56:06 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.


System errors:
=============
Error: (01/14/2012 00:04:27 AM) (Source: DCOM) (User: Guest)
Description: application-specificLocalActivation{8BC3F05E-D86B-11D0-A075-00C04FB68820}{8BC3F05E-D86B-11D0-A075-00C04FB68820}Buck-PCGuestS-1-5-21-2996206761-3037128082-3548992491-501LocalHost (Using LRPC)

Error: (01/14/2012 00:04:26 AM) (Source: DCOM) (User: Guest)
Description: application-specificLocalActivation{8BC3F05E-D86B-11D0-A075-00C04FB68820}{8BC3F05E-D86B-11D0-A075-00C04FB68820}Buck-PCGuestS-1-5-21-2996206761-3037128082-3548992491-501LocalHost (Using LRPC)

Error: (01/14/2012 00:04:26 AM) (Source: DCOM) (User: Guest)
Description: application-specificLocalActivation{8BC3F05E-D86B-11D0-A075-00C04FB68820}{8BC3F05E-D86B-11D0-A075-00C04FB68820}Buck-PCGuestS-1-5-21-2996206761-3037128082-3548992491-501LocalHost (Using LRPC)

Error: (01/14/2012 00:04:05 AM) (Source: DCOM) (User: Guest)
Description: application-specificLocalActivation{8BC3F05E-D86B-11D0-A075-00C04FB68820}{8BC3F05E-D86B-11D0-A075-00C04FB68820}Buck-PCGuestS-1-5-21-2996206761-3037128082-3548992491-501LocalHost (Using LRPC)

Error: (01/11/2012 04:22:35 PM) (Source: bowser) (User: )
Description: The master browser has received a server announcement from the computer R-PC
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{D524DD04-9A01-48E1-9526-CCC23FF61AA2}.
The master browser is stopping or an election is being forced.

Error: (01/10/2012 09:11:33 AM) (Source: Service Control Manager) (User: )
Description: The Server service terminated with the following error:
%%14

Error: (01/08/2012 08:20:40 PM) (Source: Service Control Manager) (User: )
Description: The KSafe service service terminated with the following error:
%%-2147221008

Error: (01/05/2012 11:43:12 PM) (Source: Service Control Manager) (User: )
Description: The Steam Client Service service failed to start due to the following error:
%%1053

Error: (01/05/2012 11:43:12 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

Error: (01/01/2012 06:03:34 AM) (Source: Ntfs) (User: )
Description: The default transaction resource manager on volume Yo-Safe encountered a non-retryable error and could not start. The data contains the error code.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
ABBYY FineReader 6.0 Sprint (Version: 6.00.1990.41618)
Acer Arcade Deluxe (Version: 3.0.7112)
Acer Assist
Acer Backup Manager (Version: 2.0.0.29)
Acer Crystal Eye webcam Ver:1.1.124.1120 (Version: 1.1.124.1120)
Acer ePower Management (Version: 4.05.3004)
Acer eRecovery Management (Version: 4.05.3005)
Acer Games (Version: 1.0.0.71)
Acer GridVista (Version: 3.01.0730)
Acer Registration (Version: 1.02.3006)
Acer ScreenSaver (Version: 1.5.0715)
Acer Updater (Version: 1.01.3017)
Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.1.102.55)
Adobe Reader X (10.1.2) (Version: 10.1.2)
Alcor Micro USB Card Reader (Version: 1.4.17.35005)
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
Backup Manager Basic (Version: 2.0.0.29)
Bonjour (Version: 2.0.5.0)
Broadcom Gigabit NetLink Controller (Version: 12.33.03)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
D3DX10 (Version: 15.4.2368.0902)
eSobi v2 (Version: 2.0.4.000274)
Express Accounts
Express Invoice
GemGuide Appraisal Software version 2.06a for version 2.x (Version: GemGuide Appraisal Software version 2.06a for version 2.x)
Identity Card (Version: 1.00.3003)
IL-2 Sturmovik 1946 (Version: 1.00.0000)
IL-2 Sturmovik: Cliffs of Dover
Intel® Control Center (Version: 1.2.0.1006)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.2008)
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® Matrix Storage Manager
iTunes (Version: 10.3.1.55)
Junk Mail filter update (Version: 15.4.3502.0922)
Launch Manager (Version: 3.0.05)
Lexmark 3500-4500 Series
Lexmark Fax Solutions
Logitech Gaming Software 5.08 (Version: 5.08.146)
LSI HDA Modem (Version: 2.2.98)
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
MediaBar (Version: 3.0.0.107547)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Works (Version: 9.7.0621)
MiFi4510 Mobile Broadband Drivers (Version: 1.02.001.001.13)
Mobile Broadband Generic Drivers (Version: 2.03.06.002.14)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MyWinLocker (Version: 3.1.76.0)
Norton AntiVirus (Version: 19.2.0.10)
Norton Online Backup (Version: 1.2.0.36)
Norton Safe Web Lite (Version: 1.2.0.6)
Realtek High Definition Audio Driver (Version: 6.0.1.5969)
Steam (Version: 1.0.0.0)
Synaptics Pointing Device Driver (Version: 14.0.6.0)
Turbo Lister 2 (Version: 2.00.0000)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Verizon Wireless USB727 Firmware Updates (Version: 1.0.0)
VZAccess Manager (Version: 7.2.1.2)
Welcome Center (Version: 1.00.3008)
WIDCOMM Bluetooth Software (Version: 6.2.1.800)
Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405) (Version: 07/30/2009 6.2.0.9405)
Windows Driver Package - Broadcom Bluetooth (09/11/2009 6.2.0.9407) (Version: 09/11/2009 6.2.0.9407)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800) (Version: 07/28/2009 6.2.0.9800)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3538.0513)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3538.0513)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 44%
Total physical RAM: 3764.5 MB
Available physical RAM: 2074.78 MB
Total Pagefile: 7527.2 MB
Available Pagefile: 5690.37 MB
Total Virtual: 4095.88 MB
Available Virtual: 3964.7 MB

========================= Partitions: =====================================

1 Drive c: (ACER) (Fixed) (Total:285.3 GB) (Free:177.55 GB) NTFS

========================= Users: ========================================

User accounts for \\BUCK-PC

Administrator Buck Guest

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#6 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 14 January 2012 - 10:47 PM

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.14.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Buck :: BUCK-PC [administrator]

1/14/2012 10:41:27 PM
mbam-log-2012-01-14 (22-41-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194857
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 14 January 2012 - 11:30 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-14 23:29:08
Windows 6.1.7601 Service Pack 1
Running: mlprxeq0.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\2c8158c22db5
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\2c8158c22db5 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 AM

Posted 14 January 2012 - 11:41 PM

Can you give me some examples

There are a lot of files thaat look suspicious and can 't be removed



I'll look back tomorrow

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 15 January 2012 - 12:17 AM

I can't copy and paste the folder name. It will allow me to open now. I see now they are from east asia. theere are about 15 folders.
Do you want me to send all of them in htlm?

2010-10-26 20:44:05 Execute PLaunch

2010-10-26 20:44:05 Execute LaunchApp

2010-10-26 21:12:34 Execute PLaunch

2010-10-26 21:12:35 Execute LaunchApp



-<ModuleInfo> <ModulePN>MOD01SET74EN0N0006</ModulePN> <Creator PN="01" Name="Acer-HQ1"/> <Type PN="SET" Name="Settings"/> <Module PN="74" Name="WinRE LP Setup" Serial="" Provider="Microsoft" Class="WinRE LP Setup"/> <WOS PN="0N" SKU="W7 All" CPU="X64"/> <Lang>English</Lang> <ModuleVersion>RTM-MS2</ModuleVersion> <OptionVersion/> <ProjectCodeName/> <ModuleTimeout/> <InstallPreiod>UserAlaunch</InstallPreiod> <Reboot>False</Reboot> <Delete>False</Delete> <AutoRun>False</AutoRun> <InstallPath>C:\Windows</InstallPath> <Description>10/5 Include MDAC and east-asia font support for all language</Description> -<ProcessList> <Process Check="False" Timeout="0" RetCode="-" Params="" Exec="%RELATIVE_PATH%\NEWDEPLOYWINRE.CMD" Order="00"/> </ProcessList> <RegItemList> </RegItemList>

#10 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 15 January 2012 - 12:50 AM

I can see a bunch of things i could not see before. Came from someone on the Ebay discussion board. I think I joined a blog from a "fake" member. I thought that was what was going on.

#11 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 15 January 2012 - 01:20 AM

D:\WINDOWS\TEMP\MOD01A001ZENZZ0005

#12 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 15 January 2012 - 01:30 AM

I am either wrong about all of the above or the dates have been changed. Starting with the files I copied. Sorry if so.

#13 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 15 January 2012 - 01:43 AM

C:\Downloads\Software\cnet_ComboFix_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application cleaned by deleting (after the next restart) - quarantined
C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\IEBHO.dll probably a variant of Win32/Toolbar.SearchSuite application cleaned by deleting (after the next restart) - quarantined
C:\Users\Buck\AppData\Local\Temp\NODA969.tmp a variant of Win32/Toolbar.SearchSuite application cleaned by deleting (after the next restart) - quarantined
C:\Users\Buck\AppData\Local\Temp\NODAD22.tmp probably a variant of Win32/Toolbar.SearchSuite application cleaned by deleting (after the next restart) - quarantined

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 AM

Posted 15 January 2012 - 03:01 PM

Are there other machines connected here or is this the only one?


Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 16 January 2012 - 02:50 AM

It is a laptop and I use it at work but, only one other is used there. I originally thought my problems were coming from ebay discussion board moderators(Liveworld), because I was blowing the whistle on some things they are doing. I have some cryptic emails and some with either scammers on their site or fake members trying to cover up some things they are doing at ebay/paypal.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users