Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with MFASA Chase redirect


  • This topic is locked This topic is locked
3 replies to this topic

#1 DorteeClan

DorteeClan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 08 July 2012 - 11:22 AM

My wife was paying bills yesterday and caught that chase.com was asking for her credit card information. We knew immediately that something was wrong so we did some research and found this site helping people remove the malware. I wanted to do this right, so I've followed the instructions and started this topic. I've run all of the steps in the Prep Guide. I am ready for assistance in removing this abomination from my laptop. :)

When I ran Malwarebytes, it found some Trojans and removed them. Google search is still acting funny by sending me to wrong sites. Other than that, the laptop is running fine.

I did not run the GMER since I am running Win7 64-bit. If that is wrong, please let me know and I will run it as well.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Daugherty at 11:02:16 on 2012-07-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1639.668 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\System32\rundll32.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\windows\splwow64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.toshiba.com/?cid=C001B2Y
uDefault_Page_URL = hxxp://start.toshiba.com/?cid=C001B2Y
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [{7AF3D8F2-B2C2-4F8B-AFA4-C90001F56B1A}] C:\windows\system32\msiexec.exe /cmdloc "HKCU\Software\Supergiant Games AiTemp\{7AF3D8F2-B2C2-4F8B-AFA4-C90001F56B1A}"
uRun: [ndadetup] rundll32 "C:\ProgramData\runainst64.dll",CreateProcessNotify
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
StartupFolder: C:\Users\DAUGHE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4B8CBF76-2C2A-41AE-86F9-34BB364B648E} : DhcpNameServer = 172.31.7.191 172.16.4.33 172.31.4.99
TCP: Interfaces\{65308EFD-5A5D-41D6-88B9-4B8D464BA41A} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{65308EFD-5A5D-41D6-88B9-4B8D464BA41A}\146796C616 : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO-X64: Canon Easy-WebPrint EX BHO - No File
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\coIEPlg.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Daugherty\AppData\Roaming\Mozilla\Firefox\Profiles\tj290mav.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\windows\system32\DRIVERS\amd_sata.sys --> C:\windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\windows\system32\DRIVERS\amd_xata.sys --> C:\windows\system32\DRIVERS\amd_xata.sys [?]
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NISx64\1307010.005\SYMDS64.SYS --> C:\windows\system32\drivers\NISx64\1307010.005\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NISx64\1307010.005\SYMEFA64.SYS --> C:\windows\system32\drivers\NISx64\1307010.005\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20120619.001\BHDrvx64.sys [2012-6-18 1161376]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\windows\system32\drivers\NISx64\1307010.005\ccSetx64.sys --> C:\windows\system32\drivers\NISx64\1307010.005\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20120705.001\IDSviA64.sys [2012-7-6 509088]
R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NISx64\1307010.005\Ironx64.SYS --> C:\windows\system32\drivers\NISx64\1307010.005\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NISx64\1307010.005\SYMNETS.SYS --> C:\windows\system32\Drivers\NISx64\1307010.005\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccsvchst.exe [2012-5-18 138232]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2012-1-24 135608]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2012-1-24 126392]
R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-6-5 138912]
R3 ETD;ELAN PS/2 Port Input Device;C:\windows\system32\DRIVERS\ETD.sys --> C:\windows\system32\DRIVERS\ETD.sys [?]
R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\windows\system32\DRIVERS\WSDPrint.sys --> C:\windows\system32\DRIVERS\WSDPrint.sys [?]
R3 WSDScan;WSD Scan Support via UMB;C:\windows\system32\DRIVERS\WSDScan.sys --> C:\windows\system32\DRIVERS\WSDScan.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-1-24 136176]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-1-24 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-5 113120]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
.
=============== Created Last 30 ================
.
2012-07-08 15:45:06 -------- d-----w- C:\Users\Daugherty\AppData\Local\{B26D96FA-9D54-4C83-AA84-54AD0AF24FEE}
2012-07-08 03:44:22 -------- d-----w- C:\Users\Daugherty\AppData\Local\{3E557A29-3A9A-411C-9316-27EB99F3CE9D}
2012-07-08 03:43:57 -------- d-----w- C:\Users\Daugherty\AppData\Local\{7FB6395E-0EA6-4446-9F0B-4B00258FFE7A}
2012-07-07 19:29:39 -------- d-----w- C:\Users\Daugherty\AppData\Roaming\.minecraft
2012-07-07 15:43:21 -------- d-----w- C:\Users\Daugherty\AppData\Local\{223DFBB6-3A30-4379-8484-9584DB7953EB}
2012-07-07 03:42:37 -------- d-----w- C:\Users\Daugherty\AppData\Local\{F579FD77-D29C-4FB5-A5C9-E722522A8205}
2012-07-07 03:42:09 -------- d-----w- C:\Users\Daugherty\AppData\Local\{EA7C7C46-1F06-4C74-AB66-E0136F7D51D0}
2012-07-06 16:22:27 92672 ----a-w- C:\ProgramData\runainst64.dll
2012-07-06 16:22:26 82432 ----a-w- C:\ProgramData\runainst.dll
2012-07-06 15:41:12 -------- d-----w- C:\Users\Daugherty\AppData\Local\{29A4D9CC-4FF7-49AD-BCF1-B7652303D204}
2012-07-06 15:40:46 -------- d-----w- C:\Users\Daugherty\AppData\Local\{7845345B-529B-4F82-9EFB-CAD015CB0987}
2012-07-06 03:40:27 -------- d-----w- C:\Users\Daugherty\AppData\Local\{299426ED-C9BB-4409-BF74-6D0B27104424}
2012-07-05 15:39:30 -------- d-----w- C:\Users\Daugherty\AppData\Local\{24D3451D-5150-472F-970C-E3F411E31999}
2012-07-05 03:17:23 -------- d-----w- C:\Users\Daugherty\AppData\Local\{3AB80FB2-A385-4D66-976C-8CEDA72470B6}
2012-07-05 03:16:46 -------- d-----w- C:\Users\Daugherty\AppData\Local\{77BBF224-77C4-4989-ACFB-F7FFDFE49C03}
2012-07-04 15:14:46 -------- d-----w- C:\Users\Daugherty\AppData\Local\{5C7D3C9F-1E9E-4FAD-B46B-F3379A0AD97C}
2012-07-04 15:13:54 -------- d-----w- C:\Users\Daugherty\AppData\Local\{14E8E1A5-EDA8-4BE0-B95B-2FAD1F962B7F}
2012-07-04 02:07:48 -------- d-----w- C:\Users\Daugherty\AppData\Local\{36980476-B758-4D0C-B5BE-6784A3F499CE}
2012-07-04 02:07:21 -------- d-----w- C:\Users\Daugherty\AppData\Local\{09FB4D80-DEF0-4F6B-9045-E48576E6F608}
2012-07-03 20:44:35 -------- d-----w- C:\ProgramData\Book Place
2012-07-03 14:07:01 -------- d-----w- C:\Users\Daugherty\AppData\Local\{333D13AF-BDEF-4087-A595-053899927128}
2012-07-03 14:06:36 -------- d-----w- C:\Users\Daugherty\AppData\Local\{3444D03E-7336-4FAE-8F4A-045109052C9E}
2012-07-03 02:06:14 -------- d-----w- C:\Users\Daugherty\AppData\Local\{1C095AB7-8EE8-4B77-BBB6-400884492C47}
2012-07-03 02:05:48 -------- d-----w- C:\Users\Daugherty\AppData\Local\{5EAD0C12-2E3F-49F2-AF4D-B9ACA8A97EDD}
2012-07-02 13:53:58 -------- d-----w- C:\Users\Daugherty\AppData\Local\{BB6F459C-F1FB-4EB4-9D32-10A71B99AB7C}
2012-07-02 13:53:29 -------- d-----w- C:\Users\Daugherty\AppData\Local\{69BEF2F6-D091-4744-825F-5C9E219A48EE}
2012-06-30 15:43:34 -------- d-----w- C:\Users\Daugherty\AppData\Local\{522BAFE0-1923-4130-9A28-7F348E3707D1}
2012-06-30 15:43:09 -------- d-----w- C:\Users\Daugherty\AppData\Local\{5916D92C-2863-4EBC-B896-BCC923AE9F7D}
2012-06-27 00:23:38 -------- d-----w- C:\Users\Daugherty\AppData\Local\{0F6BC386-6EA4-4E97-962D-DD87E36848B0}
2012-06-27 00:23:25 -------- d-----w- C:\Users\Daugherty\AppData\Local\{EEE18561-E7BC-424B-BA24-03D8566E49D5}
2012-06-26 20:47:39 -------- d-----w- C:\Users\Daugherty\AppData\Local\{275639DF-9825-46F5-A4E0-E0BF604520E6}
2012-06-26 03:09:50 -------- d-----w- C:\Users\Daugherty\AppData\Local\{2AF9B390-1E8F-4816-A001-390B5647BD00}
2012-06-26 03:09:22 -------- d-----w- C:\Users\Daugherty\AppData\Local\{6E61FE0D-C029-41B4-869B-11A2401DC114}
2012-06-25 15:08:49 -------- d-----w- C:\Users\Daugherty\AppData\Local\{3C55D2DE-C5C0-491E-B2CF-4AAC781F8D8C}
2012-06-25 15:08:21 -------- d-----w- C:\Users\Daugherty\AppData\Local\{7C80DFEA-450F-4180-814F-5BEA0A4ABE06}
2012-06-24 20:22:57 -------- d-----w- C:\Users\Daugherty\AppData\Local\{70709B90-70E5-4350-8942-4ABA81DE4FB9}
2012-06-24 20:22:23 -------- d-----w- C:\Users\Daugherty\AppData\Local\{FD5C8D47-99B4-4ED9-86E0-70A5DD62AA5D}
2012-06-24 05:24:30 -------- d-----w- C:\Users\Daugherty\AppData\Local\{6A05BA4D-EFF8-408E-921E-763000A890BE}
2012-06-24 05:24:04 -------- d-----w- C:\Users\Daugherty\AppData\Local\{44009792-C9FD-42AD-BEA9-F47622792EBD}
2012-06-23 17:01:57 -------- d-----w- C:\Users\Daugherty\AppData\Local\{A4A50356-A409-4B3F-8F82-064E2F8FFFAF}
2012-06-23 17:01:32 -------- d-----w- C:\Users\Daugherty\AppData\Local\{A3CF3358-6312-49CB-AE52-047387354CBC}
2012-06-23 03:33:20 -------- d-----w- C:\Users\Daugherty\AppData\Local\{68D30EFE-4A8A-4926-A7D2-F33EC99595FF}
2012-06-23 03:32:54 -------- d-----w- C:\Users\Daugherty\AppData\Local\{01BE849C-99DF-4FB3-964B-FF8EF74BF1DE}
2012-06-22 20:14:21 -------- d-----w- C:\Users\Daugherty\AppData\Roaming\PCCUStubInstaller
2012-06-22 15:32:12 -------- d-----w- C:\Users\Daugherty\AppData\Local\{D1D444BB-F85D-47FB-BDDF-E8F83702CC5B}
2012-06-22 15:32:00 -------- d-----w- C:\Users\Daugherty\AppData\Local\{E765D994-E8AE-4C6C-97C7-5BD3D56F4136}
2012-06-22 15:25:35 -------- d-----w- C:\windows\en
2012-06-22 15:15:01 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\cb0d14f81cd508902\MeshBetaRemover.exe
2012-06-22 15:15:00 537432 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\ca2d60121cd508901\DXSETUP.exe
2012-06-22 15:14:59 89944 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\ca2d60121cd508901\DSETUP.dll
2012-06-22 15:14:59 1801048 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\ca2d60121cd508901\dsetup32.dll
2012-06-22 15:10:38 -------- d-----w- C:\Users\Daugherty\AppData\Local\{85EB2EB9-0E0A-446B-A62F-6290F19FF982}
2012-06-22 15:10:13 -------- d-----w- C:\Users\Daugherty\AppData\Local\{6597227D-312B-4B35-B9C5-2B16D12C3377}
2012-06-21 15:40:25 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-21 15:38:55 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-21 15:37:30 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-06-21 15:37:30 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-19 19:43:32 -------- d-----w- C:\Users\Daugherty\AppData\Local\{ED8A9684-A87C-44D4-9DB8-740DE70C27CB}
2012-06-19 19:43:19 -------- d-----w- C:\Users\Daugherty\AppData\Local\{FEB69D66-FA3F-4D6C-9D12-B68EDEA7C371}
2012-06-19 15:57:01 -------- d-----w- C:\Users\Daugherty\AppData\Local\{7B39B73C-9E6C-4DDA-A5EF-6AE429FAA35E}
2012-06-19 15:56:30 -------- d-----w- C:\Users\Daugherty\AppData\Local\{4413FB61-CAF1-41CD-B1CF-CFB79D457145}
2012-06-18 14:35:38 -------- d-----w- C:\Users\Daugherty\AppData\Local\{21395604-D415-48DD-87A7-E5A0C8ABB3EF}
2012-06-17 13:59:20 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-17 13:59:20 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-17 01:59:10 -------- d-----w- C:\Program Files (x86)\capy
2012-06-15 14:19:05 -------- d-----w- C:\Users\Daugherty\AppData\Local\{4854F2EC-C0AC-491E-B84F-E4E12064A80C}
2012-06-14 21:21:26 -------- d-----w- C:\Users\Daugherty\AppData\Local\{1DDFF01C-A6AF-4EEC-B561-A66F1EB40DAE}
2012-06-14 21:19:09 -------- d-----w- C:\Users\Daugherty\AppData\Local\{6A30B828-2551-450C-A594-A16590182D27}
2012-06-14 14:00:43 -------- d-----w- C:\Users\Daugherty\AppData\Local\{53D389BB-BF55-493F-9A09-41FB81859594}
2012-06-14 14:00:30 -------- d-----w- C:\Users\Daugherty\AppData\Local\{6384DA0A-702E-4546-A1D0-13032CCE7423}
2012-06-14 13:47:56 -------- d-----w- C:\5024b3a04746a20135
2012-06-14 13:39:00 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2012-06-14 13:39:00 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-06-14 13:36:51 -------- d-----w- C:\Users\Daugherty\AppData\Local\{22C60064-33CA-4E3E-991D-6A993327777C}
2012-06-14 13:36:21 -------- d-----w- C:\Users\Daugherty\AppData\Local\{7FDB3C36-833D-42F9-A5A0-AD59F2CA612E}
2012-06-13 21:01:35 3216384 ----a-w- C:\windows\System32\msi.dll
2012-06-13 21:01:34 2342400 ----a-w- C:\windows\SysWow64\msi.dll
2012-06-13 21:01:32 210944 ----a-w- C:\windows\System32\drivers\rdpwd.sys
2012-06-13 14:17:27 -------- d-----w- C:\Users\Daugherty\AppData\Local\{2A457041-CE47-4554-95A3-E7FC1CD6F242}
2012-06-13 14:17:01 -------- d-----w- C:\Users\Daugherty\AppData\Local\{2C451533-CC21-4579-838A-81B6B457B81E}
2012-06-12 14:36:58 -------- d-----w- C:\Users\Daugherty\AppData\Local\{B1910534-6FCE-4DDB-AD6F-B42F174E96C6}
2012-06-12 14:36:38 -------- d-----w- C:\Users\Daugherty\AppData\Local\{46CC811B-828E-4349-A3F0-54CD1AFF8DC5}
2012-06-11 13:44:10 -------- d-----w- C:\Users\Daugherty\AppData\Local\{F108FF43-7BF4-4CDC-B945-D0B253FD79EF}
2012-06-11 13:43:43 -------- d-----w- C:\Users\Daugherty\AppData\Local\{D95389F2-1350-47E5-8186-DC0B1FD634DC}
.
==================== Find3M ====================
.
2012-05-25 19:05:34 70304 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-25 19:05:34 419488 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-05-18 02:06:48 2311680 ----a-w- C:\windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\windows\System32\ieUnatt.exe
2012-05-17 22:45:37 1800192 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2012-05-15 01:32:33 3146752 ----a-w- C:\windows\System32\win32k.sys
2012-05-04 11:06:22 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40:20 209920 ----a-w- C:\windows\System32\profsvc.dll
2012-04-26 05:41:56 77312 ----a-w- C:\windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll
2012-04-26 05:34:27 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe
2012-04-24 05:37:37 184320 ----a-w- C:\windows\System32\cryptsvc.dll
2012-04-24 05:37:37 140288 ----a-w- C:\windows\System32\cryptnet.dll
2012-04-24 05:37:36 1462272 ----a-w- C:\windows\System32\crypt32.dll
2012-04-24 04:36:42 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
2012-04-24 04:36:42 1158656 ----a-w- C:\windows\SysWow64\crypt32.dll
2012-04-24 04:36:42 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
.
============= FINISH: 11:04:26.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:04 AM

Posted 08 July 2012 - 02:23 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click Yes - you may need to allow access through your firewall.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#3 DorteeClan

DorteeClan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 12 July 2012 - 10:15 AM

Sorry for the delay. I have notifications set but didn't realize anyone had responded. I will try and run these instructions this evening. Thanks for the reply. :)

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:04 AM

Posted 18 July 2012 - 03:35 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users