Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware problems - please can you help?


  • Please log in to reply
24 replies to this topic

#1 Albany_

Albany_

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 04 October 2012 - 10:48 AM

Hi

While surfing the net using IE, I foolishly visited a 'lyrics' website that presented me with a pop-up. I clicked the X in the corner (i.e. what looked like the 'close button'), but presumably this downloaded a virus because a few seconds later all the windows that were open shut down and suddenly my screen turned into what looked like a 'full screen' Internet Explorer screen (i.e. what it looks like when you press F11). The window was displaying the message "this program cannot display the webpage".

I couldn't close the window, I couldn't Alt-Tab to any other applications, I couldn't CTRL-F4 to close it, and when I restarted my PC, as soon as I got into Windows 7, that same screen took over again. I basically couldn't do anything with my PC at all. Pressing CTRL-F4 seemed to close the window for a split second, as I briefly saw the desktop (for about a tenth of a second) and then the screen reappeared again. I couldn't get Task Manager to appear either. It seems as if this screen was overriding everything else on my system and taking precedence.

With the help of one of my work's IT support guys I have managed to get rid of the "this program cannot display the webpage" page and my laptop seems to be working as normal now. HOWEVER, I wanted to make sure that there was nothing still lurking on my machine.

I therefore ran ESET Online Scanner and it found 4 "Infected Files" - here's the ESET log:

C:\ProgramData\ubmohibp.exe Win32/Weelsof.B trojan cleaned by deleting - quarantined
C:\Users\xxxxxx\AppData\Local\Temp\GL4RHyq.exe Win32/Weelsof.B trojan cleaned by deleting - quarantined
C:\Users\xxxxxx\AppData\Local\Temp\jar_cache6087482987431376725.tmp a variant of Java/Exploit.CVE-2012-4681.AY trojan deleted - quarantined
C:\Users\xxxxxx\AppData\Local\Temp\ICReinstall\cnet_wrar401_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined

Can you guys please help me to check if there is anything else lurking on my machine. I really don't want to lose all my settings, etc by having my machine wiped and re-installed unless this is absolutely necessary.

Some information about my machine (in case this is useful):
- This is my work laptop. It is running Windows 7 Enterprise. 32-bit Operating System. 4GB RAM. 2.53 GHz processor.
- It is running McAfee Agent (v4.5.0.1499) / McAfee VirusScan Enterprise Workstation (v8.7.0.570) / McAfee AntiSpyware Enterprise Module (v8.7.0.129)
- NB: One slight snag, because of the encryption software that is installed on the machine, I can't start it up in "safe mode" (I hope that doesn't mean that you guys won't be able to help).

Edited by Albany_, 04 October 2012 - 11:04 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:24 AM

Posted 04 October 2012 - 10:49 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 Albany_

Albany_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 04 October 2012 - 11:53 AM

Hi narenxp

Many thanks for the swift reply and your help. Here are the logs that you requested:

16:55:32.0160 8176 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
16:55:32.0269 8176 ============================================================
16:55:32.0269 8176 Current date / time: 2012/10/04 16:55:32.0269
16:55:32.0269 8176 SystemInfo:
16:55:32.0269 8176
16:55:32.0269 8176 OS Version: 6.1.7600 ServicePack: 0.0
16:55:32.0269 8176 Product type: Workstation
16:55:32.0269 8176 ComputerName: xxxxxx
16:55:32.0269 8176 UserName: xxxxxx
16:55:32.0269 8176 Windows directory: C:\Windows
16:55:32.0269 8176 System windows directory: C:\Windows
16:55:32.0269 8176 Processor architecture: Intel x86
16:55:32.0269 8176 Number of processors: 4
16:55:32.0269 8176 Page size: 0x1000
16:55:32.0269 8176 Boot type: Normal boot
16:55:32.0269 8176 ============================================================
16:55:33.0049 8176 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:55:33.0064 8176 ============================================================
16:55:33.0064 8176 \Device\Harddisk0\DR0:
16:55:33.0064 8176 MBR partitions:
16:55:33.0064 8176 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x1D12E800
16:55:33.0064 8176 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D12F000, BlocksNum 0x96000
16:55:33.0064 8176 ============================================================
16:55:33.0080 8176 C: <-> \Device\Harddisk0\DR0\Partition1
16:55:33.0096 8176 ============================================================
16:55:33.0111 8176 Initialize success
16:55:33.0111 8176 ============================================================
16:55:54.0577 7168 ============================================================
16:55:54.0577 7168 Scan started
16:55:54.0577 7168 Mode: Manual; TDLFS;
16:55:54.0577 7168 ============================================================
16:55:55.0779 7168 ================ Scan system memory ========================
16:55:55.0779 7168 System memory - ok
16:55:55.0779 7168 ================ Scan services =============================
16:55:55.0825 7168 1394ohci - ok
16:55:55.0825 7168 Acceler - ok
16:55:55.0825 7168 ACPI - ok
16:55:55.0841 7168 AcpiPmi - ok
16:55:55.0857 7168 acsock - ok
16:55:55.0903 7168 AdobeFlashPlayerUpdateSvc - ok
16:55:55.0919 7168 adp94xx - ok
16:55:55.0919 7168 adpahci - ok
16:55:55.0935 7168 adpu320 - ok
16:55:55.0935 7168 AeLookupSvc - ok
16:55:55.0950 7168 AESTFilters - ok
16:55:55.0966 7168 AFD - ok
16:55:55.0966 7168 agp440 - ok
16:55:55.0966 7168 aic78xx - ok
16:55:55.0981 7168 ALG - ok
16:55:55.0997 7168 aliide - ok
16:55:55.0997 7168 amdagp - ok
16:55:55.0997 7168 amdide - ok
16:55:55.0997 7168 AmdK8 - ok
16:55:56.0013 7168 AmdPPM - ok
16:55:56.0013 7168 amdsata - ok
16:55:56.0028 7168 amdsbs - ok
16:55:56.0028 7168 amdxata - ok
16:55:56.0044 7168 ApfiltrService - ok
16:55:56.0059 7168 AppHostSvc - ok
16:55:56.0059 7168 AppID - ok
16:55:56.0059 7168 AppIDSvc - ok
16:55:56.0075 7168 Appinfo - ok
16:55:56.0091 7168 Apple Mobile Device - ok
16:55:56.0091 7168 AppMgmt - ok
16:55:56.0091 7168 arc - ok
16:55:56.0091 7168 arcsas - ok
16:55:56.0106 7168 aspnet_state - ok
16:55:56.0106 7168 AsyncMac - ok
16:55:56.0122 7168 atapi - ok
16:55:56.0122 7168 atikmdag - ok
16:55:56.0122 7168 AudioEndpointBuilder - ok
16:55:56.0122 7168 Audiosrv - ok
16:55:56.0137 7168 AxInstSV - ok
16:55:56.0137 7168 b06bdrv - ok
16:55:56.0137 7168 b57nd60x - ok
16:55:56.0153 7168 BCM43XX - ok
16:55:56.0153 7168 BDESVC - ok
16:55:56.0153 7168 Beep - ok
16:55:56.0169 7168 BFE - ok
16:55:56.0169 7168 BITS - ok
16:55:56.0169 7168 blbdrive - ok
16:55:56.0184 7168 Bonjour Service - ok
16:55:56.0184 7168 bowser - ok
16:55:56.0200 7168 BrFiltLo - ok
16:55:56.0200 7168 BrFiltUp - ok
16:55:56.0200 7168 Browser - ok
16:55:56.0200 7168 Brserid - ok
16:55:56.0215 7168 BrSerWdm - ok
16:55:56.0215 7168 BrUsbMdm - ok
16:55:56.0215 7168 BrUsbSer - ok
16:55:56.0231 7168 BthEnum - ok
16:55:56.0247 7168 BTHMODEM - ok
16:55:56.0247 7168 BthPan - ok
16:55:56.0262 7168 BTHPORT - ok
16:55:56.0278 7168 bthserv - ok
16:55:56.0293 7168 BTHUSB - ok
16:55:56.0293 7168 btwampfl - ok
16:55:56.0309 7168 CcmExec - ok
16:55:56.0325 7168 cdfs - ok
16:55:56.0340 7168 cdrom - ok
16:55:56.0356 7168 CertPropSvc - ok
16:55:56.0356 7168 circlass - ok
16:55:56.0356 7168 CLFS - ok
16:55:56.0356 7168 clr_optimization_v2.0.50727_32 - ok
16:55:56.0371 7168 clr_optimization_v4.0.30319_32 - ok
16:55:56.0371 7168 CmBatt - ok
16:55:56.0371 7168 cmdide - ok
16:55:56.0387 7168 CNG - ok
16:55:56.0387 7168 Compbatt - ok
16:55:56.0403 7168 CompositeBus - ok
16:55:56.0403 7168 COMSysApp - ok
16:55:56.0403 7168 crcdisk - ok
16:55:56.0418 7168 CryptSvc - ok
16:55:56.0418 7168 CSC - ok
16:55:56.0434 7168 CscService - ok
16:55:56.0449 7168 cvusbdrv - ok
16:55:56.0465 7168 DcomLaunch - ok
16:55:56.0465 7168 defragsvc - ok
16:55:56.0465 7168 DfsC - ok
16:55:56.0465 7168 Dhcp - ok
16:55:56.0465 7168 DIGITECH - ok
16:55:56.0481 7168 discache - ok
16:55:56.0496 7168 Disk - ok
16:55:56.0496 7168 Dnscache - ok
16:55:56.0496 7168 dot3svc - ok
16:55:56.0496 7168 DPS - ok
16:55:56.0512 7168 drmkaud - ok
16:55:56.0512 7168 DXGKrnl - ok
16:55:56.0527 7168 e1express - ok
16:55:56.0527 7168 e1kexpress - ok
16:55:56.0543 7168 EapHost - ok
16:55:56.0543 7168 ebdrv - ok
16:55:56.0559 7168 EDPA - ok
16:55:56.0559 7168 EFS - ok
16:55:56.0559 7168 ehRecvr - ok
16:55:56.0574 7168 ehSched - ok
16:55:56.0574 7168 elxstor - ok
16:55:56.0590 7168 ErrDev - ok
16:55:56.0605 7168 EventSystem - ok
16:55:56.0605 7168 exfat - ok
16:55:56.0605 7168 fastfat - ok
16:55:56.0605 7168 Fax - ok
16:55:56.0621 7168 fdc - ok
16:55:56.0621 7168 fdPHost - ok
16:55:56.0621 7168 FDResPub - ok
16:55:56.0621 7168 FileInfo - ok
16:55:56.0621 7168 Filetrace - ok
16:55:56.0637 7168 flpydisk - ok
16:55:56.0637 7168 FltMgr - ok
16:55:56.0637 7168 FontCache - ok
16:55:56.0637 7168 FontCache3.0.0.0 - ok
16:55:56.0652 7168 FsDepends - ok
16:55:56.0652 7168 Fs_Rec - ok
16:55:56.0652 7168 fvevol - ok
16:55:56.0652 7168 gagp30kx - ok
16:55:56.0683 7168 GEARAspiWDM - ok
16:55:56.0683 7168 gpsvc - ok
16:55:56.0683 7168 gupdate - ok
16:55:56.0699 7168 gupdatem - ok
16:55:56.0699 7168 gusvc - ok
16:55:56.0699 7168 hcw85cir - ok
16:55:56.0699 7168 HdAudAddService - ok
16:55:56.0715 7168 HDAudBus - ok
16:55:56.0715 7168 HECI - ok
16:55:56.0715 7168 HidBatt - ok
16:55:56.0715 7168 HidBth - ok
16:55:56.0730 7168 HidIr - ok
16:55:56.0730 7168 hidserv - ok
16:55:56.0730 7168 HidUsb - ok
16:55:56.0730 7168 hkmsvc - ok
16:55:56.0746 7168 HomeGroupListener - ok
16:55:56.0746 7168 HomeGroupProvider - ok
16:55:56.0746 7168 HpSAMD - ok
16:55:56.0746 7168 HTTP - ok
16:55:56.0746 7168 hwpolicy - ok
16:55:56.0761 7168 i8042prt - ok
16:55:56.0761 7168 iaStor - ok
16:55:56.0777 7168 iaStorV - ok
16:55:56.0777 7168 idsvc - ok
16:55:56.0777 7168 igfx - ok
16:55:56.0777 7168 iirsp - ok
16:55:56.0793 7168 IKEEXT - ok
16:55:56.0793 7168 Impcd - ok
16:55:56.0793 7168 IntcDAud - ok
16:55:56.0808 7168 intelide - ok
16:55:56.0824 7168 intelppm - ok
16:55:56.0824 7168 IPBusEnum - ok
16:55:56.0824 7168 IpFilterDriver - ok
16:55:56.0824 7168 iphlpsvc - ok
16:55:56.0824 7168 IPMIDRV - ok
16:55:56.0839 7168 IPNAT - ok
16:55:56.0839 7168 iPod Service - ok
16:55:56.0839 7168 IRENUM - ok
16:55:56.0839 7168 isapnp - ok
16:55:56.0855 7168 iScsiPrt - ok
16:55:56.0855 7168 kbdclass - ok
16:55:56.0855 7168 kbdhid - ok
16:55:56.0855 7168 KeyIso - ok
16:55:56.0871 7168 KSecDD - ok
16:55:56.0871 7168 KSecPkg - ok
16:55:56.0871 7168 KtmRm - ok
16:55:56.0886 7168 LanmanServer - ok
16:55:56.0902 7168 LanmanWorkstation - ok
16:55:56.0902 7168 lltdio - ok
16:55:56.0902 7168 lltdsvc - ok
16:55:56.0902 7168 lmhosts - ok
16:55:56.0917 7168 LSI_FC - ok
16:55:56.0917 7168 LSI_SAS - ok
16:55:56.0917 7168 LSI_SAS2 - ok
16:55:56.0917 7168 LSI_SCSI - ok
16:55:56.0933 7168 luafv - ok
16:55:56.0933 7168 McAfeeEngineService - ok
16:55:56.0933 7168 McAfeeFramework - ok
16:55:56.0949 7168 McShield - ok
16:55:56.0949 7168 McTaskManager - ok
16:55:56.0949 7168 Mcx2Svc - ok
16:55:56.0949 7168 megasas - ok
16:55:56.0964 7168 MegaSR - ok
16:55:56.0964 7168 mfeapfk - ok
16:55:56.0964 7168 mfeavfk - ok
16:55:56.0964 7168 mfebopk - ok
16:55:56.0964 7168 mfehidk - ok
16:55:56.0980 7168 mferkdet - ok
16:55:56.0980 7168 mfetdik - ok
16:55:56.0980 7168 mfevtp - ok
16:55:56.0980 7168 MMCSS - ok
16:55:56.0995 7168 Modem - ok
16:55:56.0995 7168 monitor - ok
16:55:56.0995 7168 mouclass - ok
16:55:56.0995 7168 mouhid - ok
16:55:57.0011 7168 mountmgr - ok
16:55:57.0011 7168 mpio - ok
16:55:57.0011 7168 mpsdrv - ok
16:55:57.0011 7168 MpsSvc - ok
16:55:57.0027 7168 MRxDAV - ok
16:55:57.0027 7168 mrxsmb - ok
16:55:57.0027 7168 mrxsmb10 - ok
16:55:57.0027 7168 mrxsmb20 - ok
16:55:57.0027 7168 msahci - ok
16:55:57.0042 7168 msdsm - ok
16:55:57.0042 7168 MSDTC - ok
16:55:57.0042 7168 Msfs - ok
16:55:57.0058 7168 mshidkmdf - ok
16:55:57.0058 7168 msisadrv - ok
16:55:57.0058 7168 MSiSCSI - ok
16:55:57.0058 7168 msiserver - ok
16:55:57.0073 7168 MSKSSRV - ok
16:55:57.0073 7168 MSPCLOCK - ok
16:55:57.0073 7168 MSPQM - ok
16:55:57.0073 7168 MsRPC - ok
16:55:57.0089 7168 mssmbios - ok
16:55:57.0089 7168 MSTEE - ok
16:55:57.0089 7168 MTConfig - ok
16:55:57.0105 7168 Mup - ok
16:55:57.0105 7168 napagent - ok
16:55:57.0105 7168 NativeWifiP - ok
16:55:57.0105 7168 NDIS - ok
16:55:57.0120 7168 NdisCap - ok
16:55:57.0120 7168 NdisTapi - ok
16:55:57.0120 7168 Ndisuio - ok
16:55:57.0120 7168 NdisWan - ok
16:55:57.0136 7168 NDProxy - ok
16:55:57.0151 7168 Net Driver HPZ12 - ok
16:55:57.0151 7168 NetBIOS - ok
16:55:57.0151 7168 NetBT - ok
16:55:57.0151 7168 Netlogon - ok
16:55:57.0183 7168 Netman - ok
16:55:57.0183 7168 NetMsmqActivator - ok
16:55:57.0183 7168 NetPipeActivator - ok
16:55:57.0198 7168 netprofm - ok
16:55:57.0198 7168 NetTcpActivator - ok
16:55:57.0198 7168 NetTcpPortSharing - ok
16:55:57.0198 7168 NETw5s32 - ok
16:55:57.0214 7168 nfrd960 - ok
16:55:57.0214 7168 NlaSvc - ok
16:55:57.0214 7168 Npfs - ok
16:55:57.0229 7168 nsi - ok
16:55:57.0229 7168 nsiproxy - ok
16:55:57.0229 7168 Ntfs - ok
16:55:57.0229 7168 Null - ok
16:55:57.0245 7168 nvraid - ok
16:55:57.0245 7168 nvstor - ok
16:55:57.0245 7168 nv_agp - ok
16:55:57.0245 7168 odserv - ok
16:55:57.0261 7168 ohci1394 - ok
16:55:57.0261 7168 ose - ok
16:55:57.0261 7168 p2pimsvc - ok
16:55:57.0276 7168 p2psvc - ok
16:55:57.0276 7168 Parport - ok
16:55:57.0276 7168 partmgr - ok
16:55:57.0276 7168 Parvdm - ok
16:55:57.0292 7168 PcaSvc - ok
16:55:57.0292 7168 pci - ok
16:55:57.0292 7168 pciide - ok
16:55:57.0292 7168 pcmcia - ok
16:55:57.0307 7168 pcw - ok
16:55:57.0307 7168 PEAUTH - ok
16:55:57.0307 7168 PeerDistSvc - ok
16:55:57.0323 7168 pla - ok
16:55:57.0323 7168 PlugPlay - ok
16:55:57.0354 7168 Pml Driver HPZ12 - ok
16:55:57.0354 7168 PNRPAutoReg - ok
16:55:57.0354 7168 PNRPsvc - ok
16:55:57.0370 7168 Point32 - ok
16:55:57.0370 7168 PolicyAgent - ok
16:55:57.0370 7168 Power - ok
16:55:57.0385 7168 PptpMiniport - ok
16:55:57.0401 7168 prepdrvr - ok
16:55:57.0417 7168 Processor - ok
16:55:57.0417 7168 ProfSvc - ok
16:55:57.0417 7168 ProtectedStorage - ok
16:55:57.0417 7168 Psched - ok
16:55:57.0432 7168 qcfilterdl2k - ok
16:55:57.0432 7168 qcusbserdl2k - ok
16:55:57.0432 7168 ql2300 - ok
16:55:57.0432 7168 ql40xx - ok
16:55:57.0448 7168 QWAVE - ok
16:55:57.0448 7168 QWAVEdrv - ok
16:55:57.0448 7168 RasAcd - ok
16:55:57.0448 7168 RasAgileVpn - ok
16:55:57.0463 7168 RasAuto - ok
16:55:57.0463 7168 Rasl2tp - ok
16:55:57.0463 7168 RasMan - ok
16:55:57.0463 7168 RasPppoe - ok
16:55:57.0479 7168 RasSstp - ok
16:55:57.0479 7168 rdbss - ok
16:55:57.0479 7168 rdpbus - ok
16:55:57.0479 7168 RDPCDD - ok
16:55:57.0495 7168 RDPDR - ok
16:55:57.0495 7168 RDPENCDD - ok
16:55:57.0495 7168 RDPREFMP - ok
16:55:57.0510 7168 RDPWD - ok
16:55:57.0510 7168 rdyboost - ok
16:55:57.0510 7168 RemoteAccess - ok
16:55:57.0510 7168 RemoteRegistry - ok
16:55:57.0526 7168 RFCOMM - ok
16:55:57.0526 7168 rimmptsk - ok
16:55:57.0526 7168 rimspci - ok
16:55:57.0541 7168 rimsptsk - ok
16:55:57.0541 7168 RimUsb - ok
16:55:57.0541 7168 risdpcie - ok
16:55:57.0541 7168 rismxdp - ok
16:55:57.0557 7168 rixdpcie - ok
16:55:57.0557 7168 RpcEptMapper - ok
16:55:57.0557 7168 RpcLocator - ok
16:55:57.0573 7168 RpcSs - ok
16:55:57.0573 7168 rspndr - ok
16:55:57.0573 7168 s116bus - ok
16:55:57.0588 7168 s3cap - ok
16:55:57.0588 7168 SamSs - ok
16:55:57.0588 7168 sbp2port - ok
16:55:57.0588 7168 SCardSvr - ok
16:55:57.0604 7168 scfilter - ok
16:55:57.0604 7168 Schedule - ok
16:55:57.0604 7168 SCPolicySvc - ok
16:55:57.0604 7168 SDRSVC - ok
16:55:57.0619 7168 secdrv - ok
16:55:57.0619 7168 seclogon - ok
16:55:57.0619 7168 SENS - ok
16:55:57.0619 7168 SensrSvc - ok
16:55:57.0635 7168 Serenum - ok
16:55:57.0635 7168 Serial - ok
16:55:57.0635 7168 sermouse - ok
16:55:57.0651 7168 SessionEnv - ok
16:55:57.0651 7168 sffdisk - ok
16:55:57.0651 7168 sffp_mmc - ok
16:55:57.0666 7168 sffp_sd - ok
16:55:57.0666 7168 sfloppy - ok
16:55:57.0666 7168 SFsCtrx - ok
16:55:57.0666 7168 SharedAccess - ok
16:55:57.0682 7168 ShellHWDetection - ok
16:55:57.0682 7168 sisagp - ok
16:55:57.0682 7168 SiSRaid2 - ok
16:55:57.0682 7168 SiSRaid4 - ok
16:55:57.0697 7168 Smb - ok
16:55:57.0697 7168 smstsmgr - ok
16:55:57.0713 7168 SNMPTRAP - ok
16:55:57.0713 7168 SnowInventoryClient - ok
16:55:57.0713 7168 spldr - ok
16:55:57.0729 7168 Spooler - ok
16:55:57.0729 7168 sppsvc - ok
16:55:57.0729 7168 sppuinotify - ok
16:55:57.0729 7168 srv - ok
16:55:57.0744 7168 srv2 - ok
16:55:57.0744 7168 srvnet - ok
16:55:57.0744 7168 SSDPSRV - ok
16:55:57.0760 7168 SstpSvc - ok
16:55:57.0760 7168 STacSV - ok
16:55:57.0760 7168 stexstor - ok
16:55:57.0760 7168 STHDA - ok
16:55:57.0775 7168 StiSvc - ok
16:55:57.0775 7168 storflt - ok
16:55:57.0775 7168 StorSvc - ok
16:55:57.0775 7168 storvsc - ok
16:55:57.0791 7168 swenum - ok
16:55:57.0791 7168 swprv - ok
16:55:57.0791 7168 SysMain - ok
16:55:57.0791 7168 TabletInputService - ok
16:55:57.0807 7168 TapiSrv - ok
16:55:57.0807 7168 TBS - ok
16:55:57.0807 7168 tcm - ok
16:55:57.0822 7168 Tcpip - ok
16:55:57.0822 7168 TCPIP6 - ok
16:55:57.0822 7168 tcpipreg - ok
16:55:57.0838 7168 tdifd105 - ok
16:55:57.0838 7168 TDPIPE - ok
16:55:57.0838 7168 TDTCP - ok
16:55:57.0838 7168 tdx - ok
16:55:57.0853 7168 TermDD - ok
16:55:57.0853 7168 TermService - ok
16:55:57.0853 7168 Themes - ok
16:55:57.0853 7168 THREADORDER - ok
16:55:57.0869 7168 TPM - ok
16:55:57.0869 7168 TrkWks - ok
16:55:57.0869 7168 TrustedInstaller - ok
16:55:57.0885 7168 tssecsrv - ok
16:55:57.0885 7168 tunnel - ok
16:55:57.0885 7168 uagp35 - ok
16:55:57.0900 7168 udfs - ok
16:55:57.0900 7168 UI0Detect - ok
16:55:57.0916 7168 uliagpkx - ok
16:55:57.0916 7168 umbus - ok
16:55:57.0916 7168 UmPass - ok
16:55:57.0916 7168 UmRdpService - ok
16:55:57.0931 7168 upnphost - ok
16:55:57.0931 7168 USBAAPL - ok
16:55:57.0931 7168 usbccgp - ok
16:55:57.0947 7168 usbcir - ok
16:55:57.0947 7168 usbehci - ok
16:55:57.0947 7168 usbhub - ok
16:55:57.0963 7168 usbohci - ok
16:55:57.0963 7168 usbprint - ok
16:55:57.0963 7168 USBSTOR - ok
16:55:57.0963 7168 usbuhci - ok
16:55:57.0978 7168 usbvideo - ok
16:55:57.0978 7168 UxSms - ok
16:55:57.0978 7168 VaultSvc - ok
16:55:57.0994 7168 vdrvroot - ok
16:55:57.0994 7168 vds - ok
16:55:57.0994 7168 vfsmfd - ok
16:55:58.0009 7168 vga - ok
16:55:58.0009 7168 VgaSave - ok
16:55:58.0009 7168 vhdmp - ok
16:55:58.0025 7168 viaagp - ok
16:55:58.0025 7168 ViaC7 - ok
16:55:58.0025 7168 viaide - ok
16:55:58.0025 7168 vmbus - ok
16:55:58.0041 7168 VMBusHID - ok
16:55:58.0041 7168 volmgr - ok
16:55:58.0041 7168 volmgrx - ok
16:55:58.0056 7168 volsnap - ok
16:55:58.0056 7168 vpnagent - ok
16:55:58.0056 7168 vpnva - ok
16:55:58.0072 7168 vrtam - ok
16:55:58.0072 7168 vsmraid - ok
16:55:58.0072 7168 VSS - ok
16:55:58.0072 7168 vwifibus - ok
16:55:58.0087 7168 vwififlt - ok
16:55:58.0087 7168 vwifimp - ok
16:55:58.0087 7168 W32Time - ok
16:55:58.0103 7168 W3SVC - ok
16:55:58.0103 7168 WacomPen - ok
16:55:58.0103 7168 WANARP - ok
16:55:58.0119 7168 Wanarpv6 - ok
16:55:58.0119 7168 WAS - ok
16:55:58.0119 7168 WatAdminSvc - ok
16:55:58.0134 7168 wbengine - ok
16:55:58.0134 7168 WbioSrvc - ok
16:55:58.0134 7168 wcncsvc - ok
16:55:58.0150 7168 WcsPlugInService - ok
16:55:58.0150 7168 Wd - ok
16:55:58.0150 7168 Wdf01000 - ok
16:55:58.0150 7168 WdiServiceHost - ok
16:55:58.0165 7168 WdiSystemHost - ok
16:55:58.0165 7168 WDP - ok
16:55:58.0165 7168 WebClient - ok
16:55:58.0181 7168 Wecsvc - ok
16:55:58.0181 7168 wercplsupport - ok
16:55:58.0181 7168 WerSvc - ok
16:55:58.0197 7168 WfpLwf - ok
16:55:58.0197 7168 WIMMount - ok
16:55:58.0197 7168 WinDefend - ok
16:55:58.0212 7168 WinHttpAutoProxySvc - ok
16:55:58.0212 7168 Winmgmt - ok
16:55:58.0212 7168 WinRM - ok
16:55:58.0243 7168 WinUsb - ok
16:55:58.0243 7168 Wlansvc - ok
16:55:58.0243 7168 wlidsvc - ok
16:55:58.0259 7168 WmiAcpi - ok
16:55:58.0259 7168 wmiApSrv - ok
16:55:58.0259 7168 WMPNetworkSvc - ok
16:55:58.0275 7168 WPCSvc - ok
16:55:58.0275 7168 WPDBusEnum - ok
16:55:58.0275 7168 ws2ifsl - ok
16:55:58.0290 7168 wscsvc - ok
16:55:58.0290 7168 WSearch - ok
16:55:58.0290 7168 wuauserv - ok
16:55:58.0306 7168 WudfPf - ok
16:55:58.0306 7168 WUDFRd - ok
16:55:58.0306 7168 wudfsvc - ok
16:55:58.0306 7168 WwanSvc - ok
16:55:58.0337 7168 ================ Scan global ===============================
16:55:58.0337 7168 [Global] - ok
16:55:58.0337 7168 ================ Scan MBR ==================================
16:55:58.0353 7168 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
16:55:58.0743 7168 \Device\Harddisk0\DR0 - ok
16:55:58.0743 7168 ================ Scan VBR ==================================
16:55:58.0774 7168 [ 9943F20D3A9A8E46F891A501AF3B844E ] \Device\Harddisk0\DR0\Partition1
16:55:58.0774 7168 \Device\Harddisk0\DR0\Partition1 - ok
16:55:58.0774 7168 [ ABA4CAB8CE85EDF27870E744F4A16790 ] \Device\Harddisk0\DR0\Partition2
16:55:58.0774 7168 \Device\Harddisk0\DR0\Partition2 - ok
16:55:58.0774 7168 ============================================================
16:55:58.0774 7168 Scan finished
16:55:58.0774 7168 ============================================================
16:55:58.0789 8048 Detected object count: 0
16:55:58.0789 8048 Actual detected object count: 0
16:57:04.0216 6816 Deinitialize success


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-04 16:17:08
-----------------------------
16:17:08.456 OS Version: Windows 6.1.7600
16:17:08.456 Number of processors: 4 586 0x2505
16:17:08.456 ComputerName: xxxxxx UserName: xxxxxx
16:17:21.485 Initialize success
16:19:00.970 AVAST engine defs: 12100302
16:19:22.942 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:19:22.952 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 8
16:19:22.972 Disk 0 MBR read successfully
16:19:22.972 Disk 0 MBR scan
16:19:22.982 Disk 0 Windows 7 default MBR code
16:19:22.992 Disk 0 Partition 1 00 07 HPFS/NTFS 238173 MB offset 2048
16:19:23.032 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 487780352
16:19:23.042 Disk 0 scanning sectors +488394752
16:19:23.082 Disk 0 scanning C:\Windows\system32\drivers
16:19:23.092 Service scanning
16:19:43.687 Modules scanning
16:19:44.374 Disk 0 trace - called modules:
16:19:44.389 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
16:19:44.405 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88186940]
16:19:44.405 3 CLASSPNP.SYS[8c80459e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x861fe028]
16:19:45.747 AVAST engine scan C:\Windows
16:19:45.825 AVAST engine scan C:\Windows\system32
16:19:45.840 AVAST engine scan C:\Windows\system32\drivers
16:19:45.856 AVAST engine scan C:\Users\xxxxxx
16:19:45.871 AVAST engine scan C:\ProgramData
16:19:45.871 Scan finished successfully
16:20:07.172 Disk 0 MBR has been saved successfully to "C:\Users\xxxxxx\Documents\__PERSONAL\MBR.dat"
16:20:07.219 The log file has been saved successfully to "C:\Users\xxxxxx\Documents\__PERSONAL\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-04 16:57:59
-----------------------------
16:57:59.757 OS Version: Windows 6.1.7600
16:57:59.757 Number of processors: 4 586 0x2505
16:57:59.757 ComputerName: xxxxxx UserName: xxxxxx
16:58:01.941 Initialize success
16:58:11.988 AVAST engine defs: 12100302
16:58:16.668 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:58:16.683 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 8
16:58:16.715 Disk 0 MBR read successfully
16:58:16.715 Disk 0 MBR scan
16:58:16.715 Disk 0 Windows 7 default MBR code
16:58:16.730 Disk 0 Partition 1 00 07 HPFS/NTFS 238173 MB offset 2048
16:58:16.761 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 487780352
16:58:16.777 Disk 0 scanning sectors +488394752
16:58:16.824 Disk 0 scanning C:\Windows\system32\drivers
16:58:16.839 Service scanning
16:58:39.553 Modules scanning
16:58:40.209 Disk 0 trace - called modules:
16:58:40.224 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
16:58:40.240 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88186940]
16:58:40.240 3 CLASSPNP.SYS[8c80459e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x861fe028]
16:58:41.379 AVAST engine scan C:\Windows
16:58:41.426 AVAST engine scan C:\Windows\system32
16:58:41.441 AVAST engine scan C:\Windows\system32\drivers
16:58:41.457 AVAST engine scan C:\Users\xxxxxx
16:58:41.457 AVAST engine scan C:\ProgramData
16:58:41.472 Scan finished successfully
16:58:59.475 Disk 0 MBR has been saved successfully to "C:\Users\xxxxxx\Documents\__PERSONAL\AV\MBR.dat"
16:58:59.475 The log file has been saved successfully to "C:\Users\xxxxxx\Documents\__PERSONAL\AV\aswMBR.txt"


The ESET Online Scanner didn't find any threats (I got a message saying "No threats found"). It took 41 minutes 39 seconds to scan my machine and scanned 129,158 files. Although please see my original post for the four infected files that it found when I scanned using ESET earlier today. Also note that I haven't restarted my machine since the first ESET scan. Does this mean my machine is clean, or do you think I should restart my machine and run ESET again.

One other thing: when I closed the ESET scan window, I got a "Program Compatibility Assistant" window pop up and say that "This program might not have installed correctly" and "If this program didn't install correctly, try reinstalling using settings that are compatibile with this version of Windows." It then listed the Program: ESET Smart Installer; the Publisher: ESET and the Location on my C drive where it installed it. It gave me two options. Either: "Resintall using recommended settings" or "This program installed correctly" or a "Cancel" button. The Scanner seemed to work normally. I don't know whether this "Program Compatibility Assistant" came up because I had already run the ESET scan earlier today, or whether this indicates that the scan might not have worked properly.

Many thanks

Edited by Albany_, 04 October 2012 - 11:54 AM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:24 AM

Posted 04 October 2012 - 01:30 PM

Download

Malwarebytes

Install,update and run a full scan

Click on Show results.Right click on the list ,select all and remove them.

Post the generated log here

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List restore points

Click Go and post the result.

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

Download

adware cleaner

Launch it click on Delete

A log should be generated after scan ,post it here

Download

Junkware removal tool

Right click on the tool and select run as administrator.After scan gets completed,post the generated log here.

Edited by narenxp, 04 October 2012 - 05:38 PM.


#5 Albany_

Albany_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 04 October 2012 - 05:38 PM

Hi narenxp

Thanks for following up.

I had actually tried installing Malwarebytes previously (before posting my initial post here), but I get an error message when trying to install it. A window pops up that says:

C:\ProgramFiles\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

An error occurred while trying to rename a file in the destination directory:
MoveFile failed; code 5.
Access is denied.

Click Retry to try again, Ignore to skip this file (not recommended), or Abort to cancel installation.


There are then three buttons you can select: "Abort", "Retry" or "Ignore".

Any idea what I should do?

Many thanks

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:24 AM

Posted 04 October 2012 - 05:52 PM

Boot into safemode with networking

Download UNHIDE

http://www.bleepingcomputer.com/download/unhide/

Run this tool.Now you should be able to install malwarebytes

#7 Albany_

Albany_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 04 October 2012 - 06:01 PM

Hi

As mentioned in my initial post, unfortunately, because of the BitLocker Drive Encryption software that is installed on my machine (it's a work laptop), I can't start it up in "safe mode" (because I don't have access to the "BitLocker recovery key" that you need to put the machine into safe mode).

Is there another way of getting Malwarebytes to install?

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:24 AM

Posted 04 October 2012 - 06:04 PM

Run the UNHIDE tool in normal mode

#9 Albany_

Albany_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 04 October 2012 - 06:20 PM

I ran the UNHIDE tool in normal mode, but it still won't let me install Malwarebytes. I also tried restarting my machine, but I'm still getting the same error message as above.

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:24 AM

Posted 04 October 2012 - 06:35 PM

Download

Windows repair tool

Extract and launch the Repair_Windows.exe file

Click on Start repairs tab-click on Start

check mark following options alone

Reset registry permissions
reset file permissions


Checkmark Restart System When Finished option
click the Start button

System should restart after repair

Try to install now

#11 Albany_

Albany_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 05 October 2012 - 03:43 AM

Hi

I carried out your instructions and ran the Windows repair tool for the two options you highlighted. However I am still getting the same error message when trying to instal Malwarebytes.

Is it essential to use Malwarebytes (i.e. can't I use all of the other software you've suggested)? Or does the fact that I can't install Malwarebytes suggest that there is something wrong on my machine?

Many thanks for your continued help.

#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:24 AM

Posted 05 October 2012 - 05:08 AM

Download

http://www.bleepingcomputer.com/download/rkill/

Run it and after scan finishes,post the contents of RKILL log located on the desktop here

Can you change the install location of malwarebytes? Install it in C drive and see if it gets installed

#13 Albany_

Albany_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 05 October 2012 - 05:27 AM

I moved the mbam-setup file to the main C drive folder, but unfortunately I'm still getting the same error message when trying to install it.


Here's the RKill log:

Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/05/2012 11:24:00 AM in x86 mode.
Windows Version: Windows 7 Enterprise

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* System Restore Disabled

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = dword:00000001

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

10.2.1.80 xxxxxxxxxx

Program finished at: 10/05/2012 11:24:18 AM
Execution time: 0 hours(s), 0 minute(s), and 17 seconds(s)

Edited by Albany_, 05 October 2012 - 06:41 AM.


#14 Albany_

Albany_
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 05 October 2012 - 05:29 AM

Apologies, I see what you mean now about the install location for Malwarebytes. I just tried installing it again and during the installation process selected the C drive as the location, but still getting the same error message.

#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:24 AM

Posted 05 October 2012 - 05:52 AM

I guess your security software or the encryption software is blocking the installation.Have you faced this error before for any other software?

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List restore points

Click Go and post the result.

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

Download

adware cleaner

Launch it click on Delete

A log should be generated after scan ,post it here

Download

Junkware removal tool

Right click on the tool and select run as administrator

After scan gets completed,post the generated log here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users