Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS, Google Redirection


  • This topic is locked This topic is locked
11 replies to this topic

#1 icepheonix

icepheonix

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 29 June 2012 - 12:40 PM

Okay, so I've run into the problem of TDSS rootkits before and I used to be able to just use rkill and then TDSSkiller to get rid of them and then Malwarebytes would get any straglers. That is what I tired this time. At first nothing was found, but then I restarted my pc in safe mode and scanned with Malwarebytes and Avira and they both found a few things that were removed. I thought my problem was solved, but then I was redirected again on my google searches. So, I tried using TDSSkiller, AVG ANti-Rootkit, Malwarebytes, and Advanced SystemCare 5 with no luck, so here are my logs with DDS and GMER, I am in desperate need of help to remove this persistent bug.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Joseph at 3:07:57 on 2012-06-29
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3070.1902 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Windows\System32\lpksetup.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GR469A~1.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ElevatedDiagnostics] rundll32.exe "c:\users\joseph\appdata\local\google\elevateddiagnostics\pqxbkr.dll",CreateInstance
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [RaidCall] c:\program files\raidcall\raidcall.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522}
Trusted Zone: intuit.com\ttlc
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 172.16.0.1
TCP: Interfaces\{A2E85673-D666-405C-B5EE-38C3E71DD26D} : DhcpNameServer = 172.16.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GR469A~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2012-6-29 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2012-6-29 203440]
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-3-23 15672]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2012-6-29 113776]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-6-29 18544]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-6-29 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-6-29 353688]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2012-6-28 3968]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-3-23 913752]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-2-11 163328]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-6-29 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-6-29 57656]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-6-29 44808]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2012-6-29 133912]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2012-3-23 821592]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-29 654408]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2012-2-11 9067008]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2012-2-11 264192]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-11 85520]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-29 22344]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-7 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\FileMonitor.sys [2012-3-23 20336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-7 136176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-12-12 15872]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\RegFilter.sys [2012-3-23 30600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-12-12 52224]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\win7_x86\UrlFilter.sys [2012-3-23 19792]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-12-8 1343400]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\iobit\game booster 3\driver\WinRing0.sys [2012-6-13 14416]
S4 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]
.
=============== Created Last 30 ================
.
2012-06-29 06:28:21 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{071412de-b962-4bcb-91c7-89e0c3f6c7ff}\offreg.dll
2012-06-29 05:13:00 113776 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-06-29 05:12:39 203440 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-06-29 05:12:39 18544 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-06-29 05:12:31 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-06-29 05:01:00 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-06-29 05:00:58 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-06-29 05:00:56 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-06-29 04:59:59 41224 ----a-w- c:\windows\avastSS.scr
2012-06-29 04:59:49 -------- d-----w- c:\programdata\AVAST Software
2012-06-29 04:59:49 -------- d-----w- c:\program files\AVAST Software
2012-06-29 04:07:34 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-29 04:07:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-29 03:41:11 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2012-06-29 03:16:19 -------- d-----w- c:\program files\SpywareBlaster
2012-06-24 15:53:58 -------- d-----w- c:\program files\SAMSUNG
2012-06-24 15:53:50 -------- d-----w- c:\programdata\Samsung
2012-06-24 15:53:44 53248 ----a-r- c:\users\joseph\appdata\roaming\microsoft\installer\{f42f3704-4ca7-4d28-9f5b-fdbf2e589eb2}\ARPPRODUCTICON.exe
2012-06-24 15:53:44 -------- d-----w- c:\users\joseph\appdata\roaming\Verizon
2012-06-24 13:22:25 -------- d-----w- c:\users\joseph\appdata\local\{E92F188D-6AB1-4500-8DDA-84D14B923BB5}
2012-06-24 13:22:13 -------- d-----w- c:\users\joseph\appdata\local\{76FC4631-E850-4802-A5ED-986C8AE96316}
2012-06-24 13:21:59 -------- d-----w- c:\users\joseph\Tracing
2012-06-24 13:16:14 19736 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
2012-06-24 13:13:52 -------- d-----w- c:\users\joseph\appdata\local\Windows Live
2012-06-24 13:13:52 -------- d-----w- c:\program files\common files\Windows Live
2012-06-16 01:16:39 -------- d-----w- c:\program files\iPod
2012-06-16 01:16:38 -------- d-----w- c:\program files\iTunes
2012-06-14 23:19:09 -------- d-----w- c:\program files\RaidCall
2012-06-13 17:00:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-13 17:00:00 194560 ----a-w- c:\program files\internet explorer\ieproxy.dll
2012-06-13 17:00:00 194048 ----a-w- c:\program files\internet explorer\IEShims.dll
2012-06-13 17:00:00 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-13 17:00:00 140920 ----a-w- c:\program files\internet explorer\sqmapi.dll
2012-06-13 16:59:59 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-13 16:59:59 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-13 16:59:58 748664 ----a-w- c:\program files\internet explorer\iexplore.exe
2012-06-13 16:59:58 678912 ----a-w- c:\program files\internet explorer\iedvtool.dll
2012-06-13 16:59:58 387584 ----a-w- c:\program files\internet explorer\jsdbgui.dll
2012-06-13 16:59:58 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-13 16:57:26 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 16:57:17 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 16:57:06 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 16:57:06 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 16:57:05 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 16:56:57 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-06-13 16:56:55 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-13 16:56:55 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 16:56:53 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 16:53:02 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 16:53:02 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 16:53:02 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 16:44:25 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{071412de-b962-4bcb-91c7-89e0c3f6c7ff}\mpengine.dll
2012-06-13 16:32:24 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2012-06-13 16:32:24 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2012-06-13 16:32:24 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2012-06-13 16:32:24 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2012-06-13 16:32:24 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2012-06-13 16:32:23 -------- d-----w- c:\program files\ffdshow
2012-06-12 18:35:01 -------- d-----w- c:\users\joseph\appdata\roaming\LolClient2
2012-06-05 01:04:10 -------- d-----w- c:\users\joseph\appdata\local\ElevatedDiagnostics
2012-06-03 23:59:57 -------- d-----w- c:\windows\system32\wbem\repository
.
==================== Find3M ====================
.
2012-06-12 17:02:14 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-12 17:02:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 3:10:16.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:03:03 AM

Posted 29 June 2012 - 12:49 PM

Hi icepheonix,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Regards,
M-K-D-B

#3 icepheonix

icepheonix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 29 June 2012 - 02:57 PM

Hello, thank you for taking the time to assist me.

#4 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:03:03 AM

Posted 30 June 2012 - 03:07 AM

Hi icepheonix,


:welcome: to BleepingComputer.

My name is M-K-D-B and I'll help you with the cleanup of your computer.

Please be aware of the following:
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 3 days, I am assuming that you don't need help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.
  • If you decide to clean your PC, work with us until a team member tells you that you are clean.
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.





Step 1
Going over your logs I noticed that you have µTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you as you can use the program for legit downloads as well. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.





Step 2
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.





Step 3
I would like you to answer the following questions as exactly and detailed as you can:
  • How is your compter running at the moment?
  • Are you still being redirected?





What you should post with your next answer:
  • the logfile from ComboFix,
  • an answer to my questions.

Regards,
M-K-D-B

#5 icepheonix

icepheonix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 30 June 2012 - 03:59 PM

My computer is currently running well, possibly a little slow, but I believe that might just be because of my computer and internet. I am no longer being redirected when I search things on Google.

Attached Files



#6 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:03:03 AM

Posted 01 July 2012 - 04:12 AM

Hi icepheonix,



Step 1
As you have Avast! installed on your computer, I assume that there is no need for Avira's SearchFree Toolbar any longer. I would like you to uninstall it.
Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Avira SearchFree Toolbar plus Web Protection Updater

Additional instructions can be found here if needed.





Step 2
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    c:\users\joseph\appdata\local\google\elevateddiagnostics /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt





What you should post with your next answer:
  • the logfile from SystemLook.

Regards,
M-K-D-B

#7 icepheonix

icepheonix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 01 July 2012 - 01:31 PM

Thank you for all the help.

Attached Files



#8 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:03:03 AM

Posted 02 July 2012 - 08:41 AM

Hi icepheonix,



I would like you to delete the following folder if it's still present:

c:\users\joseph\appdata\local\google\elevateddiagnostics



After that, let's do some control scans to be sure that we haven't overseen any remnants.



Step 1
  • Please start Malwarebytes' Anti-Malware.
  • Click on the Update tab and download the newest definitions updates.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.





Step 2
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!





Step 3
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.





What you should post with your next answer:
  • the logfile from MBAM,
  • the logfile from ESET Online Scanner,
  • the logfile from SecurityCheck.

Regards,
M-K-D-B

#9 icepheonix

icepheonix
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 02 July 2012 - 09:20 AM

Hello, I will perform these steps as soon as possible, but I currently moved to prepare for college so I will be unable to repair the infected computer for about a week. I will perform those steps as soon as possible.

#10 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:03:03 AM

Posted 02 July 2012 - 09:47 AM

Hi icepheonix,



thank you very much for keeping us updated! :)

I'll keep the topic open for you!
Regards,
M-K-D-B

#11 M-K-D-B

M-K-D-B

  • Malware Response Team
  • 1,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bavaria
  • Local time:03:03 AM

Posted 13 July 2012 - 10:23 AM

Hi icepheonix,


do you still need help with you computer?
If you don't respond within the next 48 hours, your topic will be closed.
Regards,
M-K-D-B

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:03 AM

Posted 15 July 2012 - 06:16 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users