Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems Following Metropolitan Police Virus Removal


  • This topic is locked This topic is locked
8 replies to this topic

#1 h7td

h7td

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 27 February 2012 - 09:49 AM

Hi,
I recently managed to infect my laptop with the metropolitan police virus via browsing a website in firefox, which requested money in order to release my laptop. I attempted to get rid of it myself by booting into safe mode and disabling certain suspicious looking start up items in msconfig. I then rebooted and ran Malwarbytes Anti-Malware and a scan by ESET NOD32, both detected numerous infections which were removed follwing a restart. I then noticed my google search results were redirecting me to specific search and ad sites. I unfortunately again decided to tacke this on my own. Following a tutorial, I removed some entries from C:\WINDOWS\system32\drivers\etc\hosts file. This seemed to sort the problem.

However since then I've noticed some other issues. Certain encrypted files, specifically ones zipped and transferred from a Mac, stopped functioning. I overcame this by using an EFS Data Recovery program which unencrypted the files.

The final problem I haven't been able to overcome is when trying to access certain websites, http://redditenhancementsuite.com/ or http://www.channel4.com/programmes/the-hotel/4od#3293733 for example, all I get is a random string of characters like the follwing:

‹Xmo6>`/€Z6%ZŠ&AO%‰TI*‡='J”8^†._L‰w{y)GŸ\xv7We+Eο•‚ ‰ܚ›Ytb—O.ֵŒ( O/>aŸ)+„u˜ˆˆW”2•W:“Œyœ&a‚de9‹œ_—Rˆ<ŽNœ‹r1‹t1?›Z$kœ7p#Hž4jrˆŸa7‡S.C/čo#r6›Eœ Ÿ’$3Œƒ83Uo0~WJWpvšEx•qŽ‡5/Y–r"(^enU+ƒ‹VwNOŠ€A8’š| ašhš›v%0‚"A†U UQ•XJ—”fiZ/#Z@$ղxx—¹Y‚\!qjmMa<z#ǰug„i"˜‘Q!B-BT†‘‡˜"ehhTh"!C%7+]‘‡zuaYEnsŸ…~ I8@zWœOe›_ !Qds“5 +;N‡)‹Zu*/?'˜ԵŸESi|GӀ-4 …fL/i.(f€x+BVq8ǀgO„ҩ–9žKL rz鳊,P%RR.\‘aM|–J†r PK‘wxg…*p…Lͥ%xYFZ\9‹‡d‡Sեm—ƒZˆŽ]’yuOcwv‹™ R"NN4‰Cz&xK uŒVm|;<;ošԜ="" 1gt;]+1]:0‘pJ;G †ƫ…‚%‚ƒȲ6T rawpgY •9J†ˆ‘›“v-_›”5S˜cw\%~bE #@8Br8DGN fL'S‡#gC1+U0ŒLG‰ ‡ 5‚M'H*Ÿ… ‹ZT„)‘ˆ.P%RU*\p?d^J‡ˆ‚70™vJ 2—•:)*.œUODk˜r+TS# Z1š”—br|‹F”kB’j‘]\mMRX\ožJ42“9oC cXKC$}8šGrl0 ŽL…#]HAH7—Io${xaR—„P–VTZ[RŽ'jŠ |x@U5‰cs“JVbNm*70~x‚3l24‡Ol{|ƒ;•…Vō™nN[)zwSuŠo} ‚¿*—T

The characters change depending on the website. I've tried diabling all extensions and plugins, reinstalling firefox and reinstalling java to no avail. The issue seems to be isolated to firefox, chrome is able to display the webpages without a problem. I was hoping I could get some help in whether this is being caused by a virus/malware, so I can rule it out. Thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_31
Run by H at 14:21:08 on 2012-02-27
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2997.1482 [GMT 0:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Highwind Software\TuneSync\TuneSync.exe
C:\Users\H\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [EPSON SX210 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifde.exe /fu "c:\windows\temp\E_S4287.tmp" /EF "HKCU"
uRun: [Google Update] "c:\users\h\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [TuneSync] c:\program files\highwind software\tunesync\TuneSync.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [F.lux] "c:\users\h\local settings\apps\f.lux\flux.exe" /noshow
uRun: [{7A4A3BE9-2AEA-8874-65FC-94BBD63BAA6A}] c:\users\h\appdata\roaming\macromedia\flash player\#sharedobjects\3v7j3e5h\d.yimg.com\wisptis.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HFS Activator] c:\program files\paragon software\hfs+ for windows 8.0\activation\hfsactivator.exe
mRun: [apmwinapp] c:\program files\paragon software\hfs+ for windows 8.0\apmwinsrv.exe param
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{972D32FA-A09A-4EED-8D27-44FFE287F2BE} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{972D32FA-A09A-4EED-8D27-44FFE287F2BE}\2445F40756E6A7F6E656 : DhcpNameServer = 192.168.22.22 192.168.22.23
TCP: Interfaces\{972D32FA-A09A-4EED-8D27-44FFE287F2BE}\2456C6B696E6E243530343 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{972D32FA-A09A-4EED-8D27-44FFE287F2BE}\6596277696E694E6475627E65647 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{972D32FA-A09A-4EED-8D27-44FFE287F2BE}\85C4E44556C65636F6D6 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{972D32FA-A09A-4EED-8D27-44FFE287F2BE}\E4544574541425 : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\h\appdata\roaming\mozilla\firefox\profiles\pr6glnzw.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npjpi160_31.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\h\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\users\h\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.accept-encoding -
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 gpt_loader;GUID Partition table support driver;c:\windows\system32\drivers\gpt_loader.sys [2010-9-26 39248]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2011-9-16 40560]
R0 prl_pv32;prl_pv32;c:\windows\system32\drivers\prl_pv32.sys [2010-12-6 23880]
R1 prl_boot;Parallels BootCamp Helper;c:\windows\system32\drivers\prl_boot.sys [2010-12-6 38216]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-7-29 136632]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-8-12 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-7-29 96920]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-4 652360]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-9-25 2255464]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2010-9-7 79872]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-7-1 43944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-4 20464]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-9-25 139368]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-26 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-9-16 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-9-16 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-26 135664]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-26 1343400]
.
=============== Created Last 30 ================
.
2012-02-27 13:54:12 -------- d-----w- c:\users\h\appdata\local\{6A20BCA8-A4DC-4A90-92FB-8E4D1708EA41}
2012-02-27 13:53:58 -------- d-----w- c:\users\h\appdata\local\{64B934AE-2409-4A9D-AB4A-31A0E46DE6D6}
2012-02-27 12:55:39 141088 ----a-w- c:\program files\mozilla firefox\plugins\npjpi160_31.dll
2012-02-27 12:55:39 131072 ----a-w- c:\program files\mozilla firefox\plugins\npoji610.dll
2012-02-27 11:14:29 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-02-27 11:14:29 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-02-27 11:14:29 43960 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-02-27 10:20:06 -------- d-----w- c:\users\h\appdata\local\{0E6E9F92-EE65-4635-A15F-5D76C6BE5E84}
2012-02-27 10:19:55 -------- d-----w- c:\users\h\appdata\local\{04990109-3840-4487-A8FE-9B10C1157448}
2012-02-27 04:45:39 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c80efae1-6081-4654-b9db-594088102a53}\offreg.dll
2012-02-26 23:46:34 -------- d-----w- c:\program files\ElcomSoft
2012-02-26 22:03:30 -------- d-----w- c:\users\h\appdata\local\{B4AE7FBB-4609-4415-8FBA-1C2D3E56D03A}
2012-02-26 22:03:09 -------- d-----w- c:\users\h\appdata\local\{80E6BB2D-1A0D-4195-9200-ABB46936CEBC}
2012-02-25 16:38:40 -------- d-----w- c:\users\h\appdata\local\{E49A93C5-439D-4E48-8350-4530CAC5C8E7}
2012-02-25 16:38:13 -------- d-----w- c:\users\h\appdata\local\{FD579AE8-B8F5-48DD-AE88-99D4FE2ECD24}
2012-02-25 16:31:12 -------- d-----w- c:\users\h\appdata\local\{A379BBAF-CAE0-46E7-90E7-4BDFAE2567D1}
2012-02-25 16:30:57 -------- d-----w- c:\users\h\appdata\local\{5E8F0445-4EE9-4F06-B0A5-3B62818003A8}
2012-02-25 13:52:18 -------- d-----w- c:\users\h\appdata\local\{E979842B-B6F2-4BEB-B3F6-670EC3AA46BA}
2012-02-25 13:52:00 -------- d-----w- c:\users\h\appdata\local\{078B2612-51D1-410E-9776-F592B9F81BBD}
2012-02-25 13:49:07 -------- d-----w- c:\windows\pss
2012-02-25 13:35:41 -------- d-----w- c:\users\h\appdata\local\{7A31BDB2-1566-404C-9429-2E312FF6A5B9}
2012-02-25 13:35:25 -------- d-----w- c:\users\h\appdata\local\{2C9A8BB4-AA13-486A-AB1A-591EE7CC718E}
2012-02-24 18:01:33 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c80efae1-6081-4654-b9db-594088102a53}\mpengine.dll
2012-02-23 10:25:26 -------- d-----w- c:\users\h\appdata\local\{651C3483-1859-4835-970B-5185A0EDE337}
2012-02-23 10:25:12 -------- d-----w- c:\users\h\appdata\local\{51F218CB-A9F7-403C-A137-540653E74DC4}
2012-02-15 10:18:22 478208 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 10:18:08 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-10 16:18:53 -------- d-----w- c:\windows\XSxS
2012-02-10 13:18:49 -------- d-----w- c:\users\h\appdata\local\{6D7A3EE8-2F56-42C0-9521-3DFAAE40F9D4}
2012-02-10 13:18:35 -------- d-----w- c:\users\h\appdata\local\{C7A1E045-8301-45FA-99F5-33ABFEA07D71}
2012-01-29 15:49:32 -------- d-----w- c:\users\h\appdata\roaming\Unity
2012-01-29 15:47:17 -------- d-----w- c:\users\h\appdata\local\Unity
2012-01-29 14:49:57 -------- d-----w- c:\users\h\appdata\local\{FCD4F5E0-6482-40F0-8236-9A4B54D0662F}
2012-01-29 14:49:42 -------- d-----w- c:\users\h\appdata\local\{1262131A-2AE4-4BD6-B00C-FAB4B0760E77}
2012-01-29 01:27:36 -------- d-----w- c:\program files\Foldit
.
==================== Find3M ====================
.
2012-02-27 12:39:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-29 05:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-14 03:48:30 2340864 ----a-w- c:\windows\system32\win32k.sys
2012-01-04 09:03:07 442880 ----a-w- c:\windows\system32\ntshrui.dll
2011-12-16 08:02:26 981504 ----a-w- c:\windows\system32\wininet.dll
2011-12-16 07:58:33 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 06:49:33 386048 ----a-w- c:\windows\system32\html.iec
2011-12-16 06:15:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 14:26:23.22 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 29 February 2012 - 06:45 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 04 March 2012 - 07:27 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 03 May 2012 - 06:21 PM

This topic has been re-opened at the request of the person who originally posted.

------------------------------------------------

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by m0le, 03 May 2012 - 06:22 PM.

Posted Image
m0le is a proud member of UNITE

#5 h7td

h7td
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 03 May 2012 - 08:34 PM

There you go. Thanks for reopening the thread.

Attached Files



#6 h7td

h7td
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 04 May 2012 - 11:30 AM

Hi, after restarting my laptop I was unable to access the internet. It would appear to be connected to my wifi network but pages would refuse to load regardless of the browser I used. Due to a culmination of problems, I decided to backup my data, reformat my hard drive and reinstall windows 7. After the installation, the first thing I did with the system was to reinstall my Atheros wifi driver. I connected to my wifi and still I was unable to load webpages. Other devices, inmcluding my pc, have no problem connecting and loading webpages from the same connection. The problem also occurs when directly connected to the wireless router via an ethernet cable. Any ideas what could be causing the problem? Sorry for goind ahead and reinstalling windows, I was getting really frustrated with the multiple problems I've been having with the laptop as of late.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 04 May 2012 - 05:53 PM

It's understandable that you wanted to reformat - it's a frustrating business. Usually Combofix being run trips the ZeroAccess rootkit which kills your internet connection, sometimes kills your keyboard and mouse and other nasty stuff.

Reformatting should deal with this but it still leaves the internet connection.

Please run FSS and let's take a look

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 07 May 2012 - 06:48 PM

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:25 PM

Posted 08 May 2012 - 06:21 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users