Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help needed cleaning up after Live Security Platinum


  • This topic is locked This topic is locked
3 replies to this topic

#1 BrummyGit

BrummyGit

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 07 August 2012 - 03:03 PM

Hello,

I would appreciate your help to clean my wife's laptop after an infection which showed itself as "Live Security Platinum".

The machine is a windows 7 laptop with BT's NetProtect Plus (a customised McAfee build) and we are not sure how the infection was acquired.

I followed the standard removal process and at the time there was no proxy server set, however when I try to visit selected web sites (eg microsoft.com or mcafee.com) I am simply redirected back to Google. I am also seeing the standard google home page using SSL and clicking links from some google searches give apparently google generated error messages.

MalwareBytes, Super Anti Spyware, McAfee, TDSS etc find no more infections although MalwareBytes and McAfee did find and fix the infections initially.

Please help if you can

Thanks

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Becky at 19:54:19 on 2012-08-07
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2943.2022 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\AEADISRV.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\rundll32.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\BT Auto Backup\VaultClientTray.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120621215542.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [Ifirnawuyf] c:\users\becky\appdata\roaming\raoz\unwi.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [TrayStartup] c:\program files\bt auto backup\VaultClientTray.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\becky\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553570000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{8C27FD32-F12A-4487-ACB9-2D3D64D63895} : DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{8C27FD32-F12A-4487-ACB9-2D3D64D63895}\244584572633D263456353 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{8C27FD32-F12A-4487-ACB9-2D3D64D63895}\244584F6D65684572623D2938383B4 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{8C27FD32-F12A-4487-ACB9-2D3D64D63895}\244584F6D65684572623D2E4844393 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{8C27FD32-F12A-4487-ACB9-2D3D64D63895}\25F6373702641627D6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C27FD32-F12A-4487-ACB9-2D3D64D63895}\77962756C6563737 : DhcpNameServer = 192.168.0.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 464304]
R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-23 169608]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-23 64912]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-28 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-28 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-28 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-11-28 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-23 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-23 161632]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-23 151880]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-7-25 1326176]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-3-19 2667392]
R2 VaultClientSRV;BT Auto Backup Service;c:\program files\bt auto backup\VaultClientSRV.exe [2009-11-27 1051752]
R2 VaultClientUpgrade;BT Auto Backup Upgrade Service;c:\program files\bt auto backup\VaultClientUpgrade.exe [2009-11-27 56424]
R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-12-3 625224]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-23 57600]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-9-22 227896]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2010-8-24 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2010-8-24 10448]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-23 180848]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-23 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-23 340920]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-11-17 27632]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 136176]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-7-25 681056]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-5 250056]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-6-22 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-11-3 13224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-20 136176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-23 87656]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-11-17 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-11-17 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-11-17 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-11-17 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-11-17 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-11-17 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-11-17 115752]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-11-17 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-11-17 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-11-17 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-11-17 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-11-17 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-11-17 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-11-17 109736]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2009-11-17 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2009-11-17 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2009-11-17 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2009-11-17 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2009-11-17 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2009-11-17 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2009-11-17 109864]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-24 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-17 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-08-07 16:04:19 -------- d-----w- c:\users\becky\appdata\local\Secunia PSI
2012-08-07 16:03:48 -------- d-----w- c:\program files\Secunia
2012-08-07 14:39:59 -------- d-----w- c:\users\becky\appdata\roaming\SUPERAntiSpyware.com
2012-08-07 14:39:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-08-07 11:51:47 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2012-08-06 22:59:39 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-06 22:54:53 -------- d-----w- c:\users\becky\appdata\local\temp
2012-08-06 22:42:25 98816 ----a-w- c:\windows\sed.exe
2012-08-06 22:42:25 518144 ----a-w- c:\windows\SWREG.exe
2012-08-06 22:42:25 256000 ----a-w- c:\windows\PEV.exe
2012-08-06 22:42:25 208896 ----a-w- c:\windows\MBR.exe
2012-08-06 21:33:10 -------- d-----w- c:\users\becky\appdata\roaming\Malwarebytes
2012-08-06 21:32:51 -------- d-----w- c:\programdata\Malwarebytes
2012-08-06 21:32:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-06 21:32:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-06 20:03:55 -------- d-----w- c:\programdata\036E190F0046D41E15454C4EF875F020
2012-08-06 20:02:41 -------- d-----w- c:\users\becky\appdata\roaming\Raoz
2012-08-06 20:02:41 -------- d-----w- c:\users\becky\appdata\roaming\Onlu
2012-08-06 20:02:41 -------- d-----w- c:\users\becky\appdata\roaming\Abol
2012-08-06 14:44:14 -------- d-----w- c:\users\becky\appdata\local\{27FF7041-2AE5-4CAA-9AE2-83D947C4C4CD}
2012-08-05 21:37:40 -------- d-----w- c:\users\becky\appdata\local\{95231BDF-F052-4D7F-9C81-47CDAC8003F7}
2012-08-05 09:36:01 -------- d-----w- c:\users\becky\appdata\local\{263B6075-1066-43B8-AEE3-488A445936F0}
2012-08-04 11:09:31 -------- d-----w- c:\users\becky\appdata\local\{B70662DA-AD74-4EAE-8A39-C45ED0C58724}
2012-08-04 11:08:41 -------- d-----w- c:\users\becky\appdata\local\{03099FFC-9FE1-4173-860C-BBDD7B334ED5}
2012-07-20 22:47:51 -------- d-----w- c:\users\becky\appdata\local\{A1C6EDF3-0B31-4318-88DF-10B20A870A87}
2012-07-20 22:47:36 -------- d-----w- c:\users\becky\appdata\local\{3B1D6C77-02E5-4B85-AA62-DD4E4336CB7C}
2012-07-20 07:06:27 -------- d-----w- c:\users\becky\appdata\local\{F652F95C-89DD-4097-A757-1B24C4EAC86C}
2012-07-19 19:05:47 -------- d-----w- c:\users\becky\appdata\local\{661E82D0-66D6-442E-9CCE-C6E4394B7AC9}
2012-07-19 19:05:31 -------- d-----w- c:\users\becky\appdata\local\{2EE69011-4ECB-4849-B475-7F15EF2D3F2A}
2012-07-18 16:19:19 -------- d-----w- c:\users\becky\appdata\local\{EB0628FD-E4D9-4D0B-8A12-858E2592B780}
2012-07-18 16:18:59 -------- d-----w- c:\users\becky\appdata\local\{E5070904-AAC5-4F77-9E30-042AF165B2E5}
2012-07-17 20:11:48 -------- d-----w- c:\users\becky\appdata\local\{87F9FFD3-87FE-422A-8434-F51F09EF4086}
2012-07-16 21:37:14 -------- d-----w- c:\users\becky\appdata\local\{7B45DE80-0982-4481-A538-92D32A0171D7}
2012-07-16 14:24:22 -------- d-----w- c:\users\becky\appdata\local\{BBF42CC2-A49E-4339-9043-F87E75AC1525}
2012-07-15 10:39:45 -------- d-----w- c:\users\becky\appdata\local\{EBB9F2B0-F827-4BC6-A022-D51E5960423D}
2012-07-14 09:39:41 -------- d-----w- c:\users\becky\appdata\local\{FAD303CD-6B80-44A8-9D96-F53AD85CC52B}
2012-07-14 09:39:00 -------- d-----w- c:\users\becky\appdata\local\{AEB3D7B9-311D-419C-9061-81D497D1E0D2}
2012-07-13 15:17:27 -------- d-----w- c:\users\becky\appdata\local\{759BFAD2-671D-4446-A22A-394069689644}
2012-07-12 20:13:29 -------- d-----w- c:\users\becky\appdata\local\{E7895B58-23AF-4C99-A8AA-424369F03003}
2012-07-12 20:13:08 -------- d-----w- c:\users\becky\appdata\local\{0E4EAE77-7D7B-40E9-B06B-AB7856AA0980}
2012-07-12 08:10:33 -------- d-----w- c:\users\becky\appdata\local\{7875FAB5-2810-492D-83B4-709F4E8615A4}
2012-07-11 15:10:44 -------- d-----w- c:\users\becky\appdata\local\{926012B3-5936-4FA3-B959-08785C4D0838}
2012-07-11 15:10:27 -------- d-----w- c:\users\becky\appdata\local\{65BA7229-8475-4F9B-A503-1143C2736CD0}
2012-07-11 14:56:17 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 14:35:56 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-11 14:35:52 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-11 14:35:46 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 14:35:42 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 14:35:35 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 14:35:23 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 14:35:17 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 14:35:15 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-11 14:35:08 1019904 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-11 14:35:05 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-07-11 14:35:00 352256 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2012-07-11 14:34:55 57344 ----a-w- c:\program files\common files\system\ado\msador15.dll
2012-07-11 14:34:51 212992 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2012-07-11 14:34:48 143360 ----a-w- c:\program files\common files\system\ado\msjro.dll
2012-07-11 14:34:45 372736 ----a-w- c:\program files\common files\system\ado\msadox.dll
2012-07-10 19:56:18 -------- d-----w- c:\users\becky\appdata\local\{B666C0C9-9878-4F60-B4F4-13918F53A796}
2012-07-10 19:56:05 -------- d-----w- c:\users\becky\appdata\local\{5918CA5B-A199-4C71-BA75-B535F7FB67C4}
2012-07-10 07:55:44 -------- d-----w- c:\users\becky\appdata\local\{BFEFAF5B-BF04-4B1C-B092-9207BF84CD2A}
2012-07-09 17:59:34 -------- d-----w- c:\users\becky\appdata\local\{9B46BAC7-4F58-496B-A6AA-1F3BF560ADDF}
.
==================== Find3M ====================
.
2012-08-04 14:30:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-04 14:30:09 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 19:55:41.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:04 AM

Posted 12 August 2012 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Open your Task Manager (CTRL+ALT+DEL) and stop this running process
uRun: [Ifirnawuyf] c:\users\becky\appdata\roaming\raoz\unwi.exe
EXIT.

Delete these folders in bold.
c:\users\becky\appdata\roaming\raoz
c:\users\becky\appdata\roaming\Onlu
c:\users\becky\appdata\roaming\Abol

Restart the Computer normally.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Please post the logs for my review.

Please let me know what problem persists.

#3 BrummyGit

BrummyGit
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 13 August 2012 - 06:34 AM

Hi nasdaq

Thanks for your reply.

I'm sorry that I didn't respond quickly enough, but having read a little more about the infection, and through need to be up and running quickly, I decided to run a disk sanitizer and then re-install Windows from the DVDs. I was also able to recover my data from a recent backup.

I understand that you provide this support on a voluntary basis, therefore I apologise that I wasted some of your time and thank you again for trying to help.

Best regards

BrummyGit

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:04 AM

Posted 13 August 2012 - 08:01 AM

Thanks for the feedback.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users