Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sirefef, tried to remove but still have issues


  • This topic is locked This topic is locked
31 replies to this topic

#1 ToxicTexan

ToxicTexan

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 08 December 2012 - 07:12 PM

I was infected with some variant of Sirefef. It disabled my windows update, windows firewall and Microsoft security updates. I attempted to clean up my pc using trend micro housecall and Malwarebytes Anti-Malware. I also installed a Comodo firewall. After running the AntiMalware and setting up the firewall I stopped getting re-infected (i think) and my browser stopped getting hijacked/redirected, but something is still screwed up because I am unable to turn on Windows firewall and access Windows & Security Essentials updates from Microsoft.

Any help is appreciated.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16447 BrowserJavaVersion: 10.9.2
Run by Deanne at 17:49:26 on 2012-12-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.1865 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files\CrashPlan\CrashPlanService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CrashPlan\CrashPlanTray.exe
C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Users\Deanne\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
C:\Program Files (x86)\Hewlett-Packard\HP My Display TouchSmart Edition\OSDManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\CrashPlan\CrashPlanTray.exe
C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Comodo\GeekBuddy\unit_manager.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Windows\SysWOW64\RunDll32.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\Hewlett-Packard\HP My Display TouchSmart Edition\OSDManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Comodo\GeekBuddy\unit.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
mWinlogon: Userinit = userinit.exe,
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
uRun: [FreeScreenSharing] "C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe"
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_Plugin.exe -update plugin
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [HP Remote Solution] C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [DT HPO] C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe -HPO
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [tvncontrol] "C:\Program Files (x86)\Common Files\Comodo\tvnserver.exe" -controlservice -slave
StartupFolder: C:\Users\Deanne\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Deanne\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Deanne\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CRASHP~1.LNK - C:\Program Files\CrashPlan\CrashPlanTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\STARTG~1.LNK - C:\Program Files (x86)\Comodo\GeekBuddy\launcher.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\Hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{AC042F7A-E9A8-44C4-9462-27ACA4114008} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{AC042F7A-E9A8-44C4-9462-27ACA4114008} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{E37C8F73-7085-44AF-97DA-15E2DB28BC7A} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{E37C8F73-7085-44AF-97DA-15E2DB28BC7A} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs= C:\Windows\SysWOW64\guard32.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
x64-Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Deanne\AppData\Roaming\Mozilla\Firefox\Profiles\fuav0843.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\Program Files (x86)\Virtual Earth 3D\npVE3D.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2011-08-18 23:30; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-3-20 203888]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdGuard.sys [2011-12-19 584056]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2011-12-19 38144]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-9-24 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-9-24 203264]
R2 CalendarSynchService;CalendarSynchService;C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [2010-7-14 22072]
R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-6-12 400368]
R2 CLPSLauncher;COMODO LPS Launcher;C:\Program Files (x86)\Common Files\Comodo\launcher_service.exe [2012-11-1 70352]
R2 CrashPlanService;CrashPlan Backup Service;C:\Program Files\CrashPlan\CrashPlanService.exe [2012-8-16 222720]
R2 GeekBuddyRSP;GeekBuddy Remote Screen Protocol;C:\Program Files (x86)\Common Files\Comodo\GeekBuddyRSP.exe [2012-10-31 1467088]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]
R2 MSSQL$JFASDATA;SQL Server (JFASDATA);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2010-9-24 635416]
R2 PdiService;Portrait Displays SDK Service;C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2010-9-24 109168]
R3 AVerAVF2;AVerAVF2;C:\Windows\System32\drivers\AVerAVF2.sys [2010-11-11 1212416]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2010-9-24 340520]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2010-9-24 39464]
R3 clwvd;HP Webcam Splitter;C:\Windows\System32\drivers\clwvd.sys [2010-6-18 32880]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-9-24 331880]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-9-24 38456]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 98688]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-16 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-14 1255736]
.
=============== Created Last 30 ================
.
2012-12-07 03:33:05 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AEE50EAF-8212-4B76-9DC3-C1D8F6AF0A79}\mpengine.dll
2012-12-04 08:41:28 37976 ----a-w- C:\Windows\SysWow64\drivers\CFRMD.sys
2012-12-01 08:19:34 972264 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7E8815D1-9B47-4140-B7FB-852A747445A2}\gapaengine.dll
2012-12-01 08:19:34 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-12-01 08:19:14 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-11-25 19:17:48 -------- d-----w- C:\ProgramData\{9BF4D58B-C6D6-467B-BC5A-FD0C1278F4AF}
2012-11-14 02:01:32 -------- d-----w- C:\Program Files (x86)\Common Files\Comodo
.
==================== Find3M ====================
.
2012-12-08 22:56:05 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-08 22:56:05 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-04 08:41:28 37976 ----a-w- C:\Windows\inf\CFRMD\cfrmd.sys
2012-11-07 23:38:00 38144 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
2012-11-07 23:37:59 584056 ----a-w- C:\Windows\System32\drivers\cmdGuard.sys
2012-11-07 23:37:57 22736 ----a-w- C:\Windows\System32\drivers\cmderd.sys
2012-11-07 23:37:36 41240 ----a-w- C:\Windows\System32\cmdcsr.dll
2012-11-07 23:37:34 301264 ----a-w- C:\Windows\SysWow64\guard32.dll
2012-11-07 23:37:31 390392 ----a-w- C:\Windows\System32\guard64.dll
2012-10-31 06:14:50 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-10-31 06:14:47 821736 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-10-31 06:14:47 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-10-03 17:50:18 25480 ----a-w- C:\Windows\System32\dopdfmn7.dll
2012-10-03 17:50:16 20872 ----a-w- C:\Windows\System32\dopdfmi7.dll
2012-09-30 00:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-18 01:30:26 47616 ----a-w- C:\Windows\SysWow64\pdf995mon64.dll
.
============= FINISH: 17:52:03.01 ===============

Attached Files


Edited by ToxicTexan, 09 December 2012 - 03:02 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:21 PM

Posted 08 December 2012 - 08:03 PM

Hello ToxicTexan ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



STEP 1



Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


STEP 2


  • Please download RogueKiller and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.



Regards,
Georgi

cXfZ4wS.png


#3 ToxicTexan

ToxicTexan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 08 December 2012 - 08:51 PM

Hello Georgi, thank you for your help.

My TDSSKiller report was too long to copy/paste in my post so I have included it as an attachment.

Here is my RK report:

RogueKiller V8.3.2 [Dec 7 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Deanne [Admin rights]
Mode : Scan -- Date : 12/08/2012 19:41:25

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] FreeScreenSharing.exe -- C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : FreeScreenSharing ("C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe") -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1580667454-1155120739-2748471355-1001[...]\Run : FreeScreenSharing ("C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe") -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{AC042F7A-E9A8-44C4-9462-27ACA4114008} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{E37C8F73-7085-44AF-97DA-15E2DB28BC7A} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{AC042F7A-E9A8-44C4-9462-27ACA4114008} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{E37C8F73-7085-44AF-97DA-15E2DB28BC7A} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\U --> FOUND
[ZeroAccess][FOLDER] U : C:\Windows\syswow64\config\systemprofile\AppData\Local\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\syswow64\config\systemprofile\AppData\Local\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721010CLA332 SATA Disk Device +++++
--- User ---
[MBR] 9c35a5a8e59b09e7f460228971f715f2
[BSP] 6fa4784484404144d1f9a2fba4b350d1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 938376 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1922000896 | Size: 15391 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 84acb730612db91b2a01941247021b54
[BSP] 67865a069bd96bd3acb2f71b3c784b95 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo

Finished : << RKreport[1]_S_12082012_02d1941.txt >>
RKreport[1]_S_12082012_02d1941.txt

Attached Files


Edited by ToxicTexan, 09 December 2012 - 03:01 AM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:21 PM

Posted 09 December 2012 - 05:15 AM

Hi ToxicTexan,



STEP 1



Please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.
Now click on the Files tab

Place a checkmark each of these items:

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\U --> FOUND
[ZeroAccess][FOLDER] U : C:\Windows\syswow64\config\systemprofile\AppData\Local\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\syswow64\config\systemprofile\AppData\Local\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L --> FOUND


Now press the Delete button.
If asked to restart the computer, please do so immediately.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Post the log in your next reply.



STEP 2



Please re-run TDSSKiller and delete the following object:

\Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user



  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside Detect TDLFS file system .
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • From the drop-down menu choose delete ONLY for TDSS File System (if present):
    Posted Image
  • Post the log at pastebin and post the link to the log in your next reply.


Regards,
Georgi

cXfZ4wS.png


#5 ToxicTexan

ToxicTexan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 December 2012 - 05:22 PM

Georgi, Below is the RKreport[2]. I also wanted to mention that RougeKiller generated another report called, RKreport[3]_D_12092012_02d1601.txt. Please let me know if you need this posted as well.

My TDSSKiller report (Step2) has been posted to pastebin and can be found here: http://pastebin.com/duRvxWik
I am a new pastebin user, please let me know if I did not set it up correctly.


RougeKiller Step1 RKreport[2].txt :

RogueKiller V8.3.2 [Dec 7 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Deanne [Admin rights]
Mode : Scan -- Date : 12/09/2012 15:58:39

Bad processes : 0

Registry Entries : 8
[RUN][SUSP PATH] HKCU\[...]\Run : FreeScreenSharing ("C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe") -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1580667454-1155120739-2748471355-1001[...]\Run : FreeScreenSharing ("C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe") -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{AC042F7A-E9A8-44C4-9462-27ACA4114008} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{E37C8F73-7085-44AF-97DA-15E2DB28BC7A} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{AC042F7A-E9A8-44C4-9462-27ACA4114008} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{E37C8F73-7085-44AF-97DA-15E2DB28BC7A} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:
[ZeroAccess][FOLDER] U : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\U --> FOUND
[ZeroAccess][FOLDER] U : C:\Windows\syswow64\config\systemprofile\AppData\Local\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\syswow64\config\systemprofile\AppData\Local\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L --> FOUND

Driver : [NOT LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts



MBR Check:

+++++ PhysicalDrive0: Hitachi HDS721010CLA332 SATA Disk Device +++++
--- User ---
[MBR] 9c35a5a8e59b09e7f460228971f715f2
[BSP] 6fa4784484404144d1f9a2fba4b350d1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 938376 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1922000896 | Size: 15391 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 84acb730612db91b2a01941247021b54
[BSP] 67865a069bd96bd3acb2f71b3c784b95 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo

Finished : << RKreport[2]_S_12092012_02d1558.txt >>
RKreport[1]_S_12082012_02d1941.txt ; RKreport[2]_S_12092012_02d1558.txt

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:21 PM

Posted 09 December 2012 - 05:29 PM

Georgi, Below is the RKreport[2]. I also wanted to mention that RougeKiller generated another report called, RKreport[3]_D_12092012_02d1601.txt. Please let me know if you need this posted as well.



Can I see it please? :)


My TDSSKiller report (Step2) has been posted to pastebin and can be found here: http://pastebin.com/duRvxWik
I am a new pastebin user, please let me know if I did not set it up correctly.


You did it nice. Don't worry about that. :)
TDSSKiller log look a lot better.


Regards,
Georgi

cXfZ4wS.png


#7 ToxicTexan

ToxicTexan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 December 2012 - 05:31 PM

Yes here is RKreport[3]_D_12092012_02d1601.txt.


RogueKiller V8.3.2 [Dec 7 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Deanne [Admin rights]
Mode : Remove -- Date : 12/09/2012 16:01:17

Bad processes : 0

Registry Entries : 7
[RUN][SUSP PATH] HKCU\[...]\Run : FreeScreenSharing ("C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe") -> DELETED
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{AC042F7A-E9A8-44C4-9462-27ACA4114008} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{E37C8F73-7085-44AF-97DA-15E2DB28BC7A} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{AC042F7A-E9A8-44C4-9462-27ACA4114008} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{E37C8F73-7085-44AF-97DA-15E2DB28BC7A} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\syswow64\config\systemprofile\AppData\Local\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\syswow64\config\systemprofile\AppData\Local\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3}\L --> REMOVED

Driver : [NOT LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts



MBR Check:

+++++ PhysicalDrive0: Hitachi HDS721010CLA332 SATA Disk Device +++++
--- User ---
[MBR] 9c35a5a8e59b09e7f460228971f715f2
[BSP] 6fa4784484404144d1f9a2fba4b350d1 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 938376 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1922000896 | Size: 15391 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 84acb730612db91b2a01941247021b54
[BSP] 67865a069bd96bd3acb2f71b3c784b95 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 264071168 | Size: 300 Mo

Finished : << RKreport[3]_D_12092012_02d1601.txt >>
RKreport[1]_S_12082012_02d1941.txt ; RKreport[2]_S_12092012_02d1558.txt ; RKreport[3]_D_12092012_02d1601.txt

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:21 PM

Posted 09 December 2012 - 05:48 PM

Hi,


RogueKiller also removed this program from startup:

[RUN][SUSP PATH] HKCU\[...]\Run : FreeScreenSharing ("C:\Users\Deanne\AppData\Local\FreeScreenSharing\FreeScreenSharing.exe") -> DELETED

If you need it again please do the following:


Backup Your Registry




We Need to Run a Registry Script


  • Press the Windows Logo in the lower left corner of your screen.
  • In the Posted Image box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "FreeScreenSharing"="C:\\Users\\Deanne\\AppData\\Local\\FreeScreenSharing\\FreeScreenSharing.exe"
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.reg.
  • Press Posted Image.
  • Close Notepad.
  • Double click Posted Image on your desktop.
  • Press Yes if prompted by User Account Control.
  • Press Yes, and then Ok, when prompted.
  • Right click on Posted Image and choose Delete.
  • Press Yes.


Next please follow the instructions below:


  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
  • Don't copy the word "quoted"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\temp\*.exe
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %Public%\Documents\Fonts\*.exe
    %Public%\Documents\Config\*.exe
    %Public%\Documents\*.*
    %ProgramData%\*.*
    %ProgramData%\*.
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\ComObjects*.exe
    %commonprogramfiles(x86)%\*.*
    %ProgramFiles%\*.*
    %ProgramFiles%\*.
    %ProgramFiles(x86)%\*.*
    %ProgramFiles(x86)%\*.
    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\Windows\DRM\*.tmp
    %AllUsersProfile%\Microsoft\Windows\DRM\*.tmp
    %AllUsersProfile%\Microsoft\Windows\DRM\*.tmp
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    dfsc.sys
    hlp.dat
    str.sys
    crexv.ocx
    /md5stop

  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
    • OTL.txt <-- Will be opened


Since we have different timezone between here and US we will continue tomorrow as I need some sleep now. :)



Regards,
Georgi

cXfZ4wS.png


#9 ToxicTexan

ToxicTexan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 10 December 2012 - 02:02 AM

Thank you.
I do not think FreeScreenSharing is needed so I have skipped that step.

My OTL report can be found here: http://pastebin.com/NAfg6RM0

#10 ToxicTexan

ToxicTexan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 10 December 2012 - 02:05 AM

Georgi,
The OTL scan created a second report called Extras.
I have placed a copy of this report here: http://pastebin.com/mhtqcb5J

#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:21 PM

Posted 10 December 2012 - 01:42 PM

Hi ToxicTexan,



Please temporarily disable Comodo Defense+ and Comodo Sandbox as shown below:

Posted ImagePosted Image



We need to run an OTL Fix





Regards,
Georgi

cXfZ4wS.png


#12 ToxicTexan

ToxicTexan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 10 December 2012 - 01:48 PM

Georgi,
I am away from the PC right now, but thank you and I will follow the next set of instructions later today.

#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:21 PM

Posted 10 December 2012 - 02:31 PM

Hi ToxicTexan,


Not a problem and thank you for the heads up. :)



Regards,
Georgi

cXfZ4wS.png


#14 ToxicTexan

ToxicTexan
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 10 December 2012 - 11:33 PM

Here is my OTL fix report:

All processes killed
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B75B229E-5675-4670-B9BE-2394AE993282}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B75B229E-5675-4670-B9BE-2394AE993282}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B75B229E-5675-4670-B9BE-2394AE993282}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B75B229E-5675-4670-B9BE-2394AE993282}\ not found.
Registry key HKEY_USERS\S-1-5-21-1580667454-1155120739-2748471355-1001\Software\Microsoft\Internet Explorer\SearchScopes\{B75B229E-5675-4670-B9BE-2394AE993282}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B75B229E-5675-4670-B9BE-2394AE993282}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_USERS\S-1-5-21-1580667454-1155120739-2748471355-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SafeBootMin 66842018.sys\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\66842018.sys\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SafeBootNet 66842018.sys\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\66842018.sys\ deleted successfully.
C:\Windows\installer\{8ab922df-6a75-fa7b-8ace-d21af1b25ed3} folder moved successfully.
C:\Windows\SysWow64\%APPDATA%\Microsoft\Windows\IETldCache folder moved successfully.
C:\Windows\SysWow64\%APPDATA%\Microsoft\Windows folder moved successfully.
C:\Windows\SysWow64\%APPDATA%\Microsoft folder moved successfully.
C:\Windows\SysWow64\%APPDATA% folder moved successfully.
========== FILES ==========
< netsh winsock reset catalog /c >
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
C:\Users\Deanne\Desktop\cmd.bat deleted successfully.
C:\Users\Deanne\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Deanne\Desktop\cmd.bat deleted successfully.
C:\Users\Deanne\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Deanne
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 292512297 bytes
->Java cache emptied: 3042766 bytes
->FireFox cache emptied: 355887855 bytes
->Flash cache emptied: 79046 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56478 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: DH
->Temp folder emptied: 107771910 bytes
->Temporary Internet Files folder emptied: 69190974 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 882880132 bytes
->Flash cache emptied: 62242 bytes

User: Guest
->Temp folder emptied: 195244 bytes
->Temporary Internet Files folder emptied: 8261175 bytes
->FireFox cache emptied: 132936694 bytes
->Flash cache emptied: 42432 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 341897376 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 282268 bytes
RecycleBin emptied: 1666643921 bytes

Total Files Cleaned = 3,683.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12102012_190857

#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:21 PM

Posted 11 December 2012 - 01:30 PM

Hi ToxicTexan,



Let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.
You can run these scans at night when you are not there and the computer is idle.



STEP 1


  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



STEP 2



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


STEP 3



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


STEP 4


Please download MiniToolBox.exe by Farbar save it to your desktop and run it.
Checkmark all checkboxes.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed !



STEP 5



Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Regards,
Georgi

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users