Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm lost for words to be honest, 6th time fighting off infection


  • Please log in to reply
33 replies to this topic

#1 NematodeSWAG

NematodeSWAG

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 02:59 AM

So i've had an on going problem of infections for quite a while. To be honest I think it's more than the 6th time my computer has been infected, after it was "repaired." I've been having Geek Squad do the repairs because I have the tech support service with them. They can't seem to do the job at all because I literally had it "repaired" at the beginning of last week and now I'm already starting to see signs of infection. I may possibly just be paranoid from having so many infections. I don't know though, I just need help.

I've had plenty of time looking through my computer's registry and reading keys, do note I've done no modification to them at all. And from what I can see with the little education I have my registry is still looking infected. I have a few programs that were old and had been uninstalled in the past but are still listed on my computer. Lots of use of svchost.exe and rundll32, services depend on RPC.

If you have any other questions, just ask me. I'm willing to cooperate and get this all sorted out.

Thank you, Jay

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 24 October 2012 - 05:25 AM

I'm already starting to see signs of infection.

Hello and Welcome -
Can you please be a bit more specific with your statement - Example, Redirects , Advertising popups , Not able to access sites , Etc -

A few basic scans first to see if there are any infections showing as present -

Download, Install and Update Malwarebytes Anti-Malware Free If you have the program already just Update and run a Quick scan -
Post the scan log back here -
Download, Install and Update SuperantiSpyware Free If you have the program already just Update and run a Quick scan -
Post the scan log back here -

Click on the following link to open ESET OnlineScan
You may be prompted to disable any antivirus programs for this to run - Download ESET online Scanner this will take quite a while to load the base program and then the updated definitions -
Post any results back here -

Download Security Check by Screen317 from HERE or HERE, and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

Download Adware Cleaner Vista and Win7, Right click and Run it as Admin - Click the Delete button allow it to run and post the log it creates.
AdWare Cleaner

Thank You -

#3 NematodeSWAG

NematodeSWAG
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 07:20 AM

Best way to specify is that I can see a lot of programs running from svchost.exe as replaced services. I don't have any redirects that I've noticed. And as for pop ups, I have none.


Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.24.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jay :: JAY-HP [administrator]

10/24/2012 7:06:03 AM
mbam-log-2012-10-24 (07-10-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 246152
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)






SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/24/2012 at 07:17 AM

Application Version : 5.6.1012

Core Rules Database Version : 9462
Trace Rules Database Version: 7274

Scan type : Quick Scan
Total Scan Time : 00:04:38

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 728
Memory threats detected : 0
Registry items scanned : 61486
Registry threats detected : 2
File items scanned : 10878
File threats detected : 2

Security.HiJack[ImageFileExecutionOptions]
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOTEPAD.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOTEPAD.EXE#Debugger

Adware.Tracking Cookie
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\21DKK0RF.txt [ /atdmt.combing.com ]
C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Cookies\7WYU0BJC.txt [ /atdmt.com ]

#4 NematodeSWAG

NematodeSWAG
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 07:31 AM

Doing the ESET and other tasks right now, I'll upload them in a bit.

#5 NematodeSWAG

NematodeSWAG
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 10:00 AM

So the ESET online scanner has been "scanning" for almost over 2 hours and it jumped from 10% to 99% and has been at 99% for well over majority of the 2 hours. Should I abort and try to scan it again?

#6 NematodeSWAG

NematodeSWAG
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 10:12 AM

Results of screen317's Security Check version 0.99.53
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Webroot SecureAnywhere
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
SpywareBlaster 4.6
Spybot - Search & Destroy
Secunia PSI (3.0.0.4001)
Malwarebytes Anti-Malware version 1.65.1.1000
Java 7 Update 9
Adobe Flash Player 11.4.402.287
Mozilla Firefox (16.0.1)
````````Process Check: objlist.exe by Laurent````````
ESET ESET Online Scanner OnlineScannerApp.exe
ESET ESET Online Scanner OnlineCmdLineScanner.exe
IObit IObit Malware Fighter IMFsrv.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

#7 NematodeSWAG

NematodeSWAG
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 10:33 AM

# AdwCleaner v2.005 - Logfile created 10/24/2012 at 10:25:11
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Jay - JAY-HP
# Boot Mode : Normal
# Running from : C:\Users\Jay\S&D Download Scanner\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\StartSearch
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Value Deleted : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-US)

Profile name : default-1349443467415 [Profil par défaut]
File : C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\xne9xznh.default-1349443467415\prefs.js

C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\xne9xznh.default-1349443467415\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[S2].txt - [2262 octets] - [24/10/2012 10:25:11]

########## EOF - C:\AdwCleaner[S2].txt - [2322 octets] ##########

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 24 October 2012 - 01:58 PM

Hi -
You can re-run and remove all the items listed in the Malwarebytes scan and the SUPERAntiWare scan -
Keep both these programs on your desktop and Update and run a Quick scan with them every second or third day -

The small items like incredibar.com removed by AdAware are not major infections, but they are advertising add-ons and not required -

Your Webroot Antivirus is a good program, so keep it updated and running -

The ESET online scanner can take about 2 + hours for a first run, but cancel out after 3 hours if it is not finished -
How to view the ESET Online Scanner log file - ESET online FAQ is located HERE
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis.
The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.

After it finishes, Download TFC (Temp File Cleaner) by OldTimer from http://oldtimer.geekstogo.com/TFC.exe to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, or Win 7, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
Run this once or twice a week just to Deep Clean all Temp Files

All other programs seem to be up to date and working OK at this time -

So far there are only a few smaller infections and they have all been picked up and can be or have been removed -

Post back if you still have problems or think there is still an issue -

Thank You -

#9 NematodeSWAG

NematodeSWAG
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 02:27 PM

After the last ESET scan that I performed the log file didn't update, I was only able to copy the directories of the files it detected. Should I post that?

And as for my Webroot, how exactly is the install directory supposed to look for it? All I have is this "C:\Program Files\Webroot\WRSA.exe" I know that it's a cloud service but I just wanted to make sure.

I feel like we might have missed something though to be honest. Like I've seen .dll, .sys. and .db files with created by and modified on dates that were clearly not true, and some of these have different signatures. I don't know, please be honest and tell me if I'm just being paranoid. I just want this whole situation put to rest. I'll run the tasks you listed and get back to you if things aren't looking up. Thank you very much so far though.

#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 24 October 2012 - 02:40 PM

Hi -
If there are infections listed in the ESET log, please list them, however if the log is clean do not worry -

We are only looking to see if there are infections, if none are listed then do not bother -
Just post wheather the log was clean, or post the infections found and removed -

Thank You -

#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 24 October 2012 - 02:52 PM

Hello - A few extra minor details for you -
Log section - Webroot Community Please read some information on the Webroot logs here -
Please join the Community Forums - Webroot Community as they provide full help with your Antivirus program, and can answer all your detailed / specific questions on your program -
I always prefer you to go to the forum for your specific program when it is better -

Thanks -
EDIT -
Installation Folder and File Locations - Webroot Community
These details are available via Webroot Community site, as are many other details -


Edited by noknojon, 24 October 2012 - 02:57 PM.


#12 NematodeSWAG

NematodeSWAG
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 04:14 PM

ESET Log

C:\$RECYCLE.BIN\S-1-5-21-4208437862-220825810-744496597-1000\$R4Q0MZW.exe Win32/OpenCandy application
C:\Program Files (x86)\Vuze\bunndle.zip a variant of Win32/Bunndle application
C:\Users\Jay\Documents\Vuze Downloads\DAEMON Tools Pro Advanced 5.0.0316.0317 (2012) [MULTi][WwW.ZoNaTorrent.CoM]\DAEMON Tools Pro Advanced 5.0.0316.0317 (2012) [MULTi][WwW.ZoNaTorrent.CoM]\DAEMONToolsPro500316-0317.exe Win32/OpenCandy application
C:\Users\Jay\Documents\Vuze Downloads\Daemon.Tools.Pro.Advanced.v5.1.0.333.Multilingual.Cracked.6000th.Release-BRD\Setup\DAEMONToolsPro510-0333.exe Win32/OpenCandy application
C:\Users\Jay\Documents\Vuze Downloads\Image-Line.FL.Studio.Edition.v10.0.0 @vAin4us\flstudio_10.0.exe Win32/OpenCandy application
C:\Users\Jay\Documents\Vuze Downloads\Stardock ObjectDock Plus v2.0\keygen.exe a variant of Win32/HackTool.Patcher.J application
C:\Users\Jay\Documents\Vuze Downloads\Stardock ObjectDock Plus v2.0\keygen.rar a variant of Win32/HackTool.Patcher.J application
C:\Users\Jay\S&D Download Scanner\driver_fusion_1.2.0.exe Win32/OpenCandy application


I know for a fact that flstudio_10.0.exe is safe, yes I downloaded it via torrent. I've had that specific torrent for a very, very long time though. Since well before I started having serious infection issues.

#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 24 October 2012 - 04:47 PM

Hi -
OpenCandy application is only one step above incredibar as Advertising infection, they both now seem to be removed -

My concern is with HackTool.Patcher.J application as being a more serious infection, and I am glad these entries were removed.
I do think this was the main problem that you had, and can you see any improvement now that it is gone !!

If the system is not any better I can leave instructions for a full Malware Forum removal procedure, as we can not generate some logs in this area -
Please run normally for 1 hour, browse, surf the internet and play a game then tell me if things are any better now - They should be -

If any problem appears, please post it back as soon asyou notice it - Please stay off Torrent sites if you can, as this is where it comes from -

Thank You -
EDIT - My Antivirus / Antimalware gave a warning for flstudio_10.0.exe as I was checking it on one site, but it was only a warning -
Personally I would not have it, or it may have been the program version from the particular Torrent site I was viewing ???

Edited by noknojon, 24 October 2012 - 05:01 PM.


#14 NematodeSWAG

NematodeSWAG
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 24 October 2012 - 05:01 PM

Thank you soooo much so far noknojon

I'll do just what you said, including the bit about the torrent sites....it's seriously not worth it man. I understand you are the expert out of the two of us, but the issues that I myself have seen aren't fixed. For instance the plethora of .dll files that run through "svchost.exe -k netsvcs" and many others. And I had found a registry key that was stating that after each reboot, the registry rolls back to it's previous state and continously backs itself up. I'm going to try and find it again, and without altering anything, maybe something like that can shed some light. Idk, please don't take this the wrong way, I'm very grateful for what you've done so far. I'm just EXTREMELY paranoid and down right fed up with being someone elses bleep via my computer and network.

#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 24 October 2012 - 05:34 PM

No problem - :)
Post back in 1 hour or so if you can - We will just have a quick look then -

Regards -

Extra - I hope the USB situation is sorted out also -




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users