Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
17 replies to this topic

#1 Bumbaclot

Bumbaclot

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 13 December 2012 - 07:37 AM

Hello,

I've been having a load of computer problems for the past year. I'm convinced I have some form of infection that allows a hijacker to repeatedly backdoor/alter/redirect or otherwise mess around with everything I do on my system. I recently reformatted my drives twice with fresh Windows 7 installs and that seems to do nothing. I am still a little paranoid about my computer being infected as Spybot continually finds the same infections on my system, and some of my Windows folders seem to be organized in a strange fashion and/or out of their normal place. Plus I see folders and data/log files I have never even encountered before in my 10+ years using computers. Also, I regularly suffer random operating system and software hangs that sometimes crash applications and cause other mischief.

I am puzzled as to the type of infection I have. I actually think it's a hijacker/hacker of some sort, or maybe a BIOS infection? However, when scanning with Trend Micro's HijackThis, the scan was interrupted halfway through with the message:

For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click Start, Run, then type:

notepad C:\Windows\System32\drivers\etc\hosts

and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts.' (with quotes), and reboot.


I am not sure what else I can say that could help you diagnose and fix my issue(s), but if you need any information just ask. This is a last resort for me as numerous antivirus applications I have tried do next to nothing. I am scared to use RogueKiller again as last time I did it broke my copy of Windows and I needed to reformat. TDSSKiller does not find infections and I am uncertain as to how to use ComboFix. I will respond as soon as I read your reply with whatever information necessary.

Thank you in advance.

EDIT: Forgot to click "Attach Ths File" button, haha.

Attached Files


Edited by Bumbaclot, 13 December 2012 - 07:42 AM.


BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 15 December 2012 - 08:17 PM

Hello Bumbaclot :)

This log is clean but do note that HiJackThis is an outdated tool. We no longer use it as there are better alternatives now.
The error message you received in HiJackThis typically points to a hijacked hosts file.

Please read: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help which explains how to run DDS.

Regards

Edited by thisisu, 15 December 2012 - 08:18 PM.


#3 Bumbaclot

Bumbaclot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 18 December 2012 - 04:13 PM

Sorry, replying here to avoid cluttering the forum. If you want me to create a new thread just say so.

As instructed:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2
Run by Greg at 16:03:46 on 2012-12-18
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4087.2118 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
FW: ZoneAlarm Pro Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\explorer.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe
BHO: Zonealarm Helper Object: {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.6.7.4\bh\zonealarm.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: ZoneAlarm Security Toolbar: {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.6.7.4\zonealarmTlbr.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{10CFF9B6-C45C-4213-A46A-A60B3F4A980F} : DHCPNameServer = 209.18.47.61 209.18.47.62
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
x64-BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
x64-TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [2012-11-2 33712]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe [2012-11-2 827560]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-12-10 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-12-10 1369624]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-12-10 168384]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-11-30 382824]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-12-13 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-12-13 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-10 1255736]
.
=============== Created Last 30 ================
.
2012-12-18 20:52:39 -------- d-----w- C:\Users\Greg\AppData\Roaming\CheckPoint
2012-12-18 20:52:32 -------- d-----w- C:\Program Files\CheckPoint
2012-12-18 20:51:55 -------- d-----w- C:\Program Files (x86)\Check Point Software Technologies LTD
2012-12-18 20:51:32 -------- d-----w- C:\Program Files (x86)\CheckPoint
2012-12-18 20:51:31 -------- d-----w- C:\ProgramData\CheckPoint
2012-12-18 17:39:59 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2DE13C77-B1B5-43C7-809D-9F5CD3783B59}\mpengine.dll
2012-12-18 00:02:10 -------- d-----w- C:\Users\Greg\AppData\Roaming\.minecraft
2012-12-17 17:34:31 9125352 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-13 14:40:32 -------- d-----w- C:\Users\Greg\AppData\Local\Diagnostics
2012-12-13 12:01:57 388096 ----a-r- C:\Users\Greg\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-12-13 12:01:56 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-12-13 11:02:48 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-12-13 11:02:48 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-12-13 11:02:42 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-13 10:33:57 -------- d-----w- C:\Program Files (x86)\VideoLAN
2012-12-12 20:41:01 972264 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B28D90BB-76E5-4FA8-B23D-11F5E8BD39BF}\gapaengine.dll
2012-12-12 20:39:57 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-12-12 20:39:56 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-12-12 07:23:52 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-12-12 07:22:28 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-12-12 07:22:25 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7BF59BAA-4CD4-448C-8754-5B27449114DA}\mpengine.dll
2012-12-11 06:14:06 -------- d-----w- C:\Program Files (x86)\Steam
2012-12-11 06:14:06 -------- d-----w- C:\Program Files (x86)\Common Files\Steam
2012-12-11 06:10:02 -------- d-----w- C:\Users\Greg\AppData\Roaming\Mumble
2012-12-11 06:09:49 -------- d-----w- C:\Program Files (x86)\Mumble
2012-12-11 01:32:26 -------- d-----w- C:\Users\Greg\AppData\Roaming\NVIDIA
2012-12-11 00:42:10 -------- d-----w- C:\Program Files\CCleaner
2012-12-11 00:40:28 -------- d-----w- C:\Program Files (x86)\uTorrent
2012-12-11 00:39:33 -------- d-----w- C:\Users\Greg\AppData\Roaming\uTorrent
2012-12-11 00:23:08 -------- d-----w- C:\Program Files (x86)\Guild Wars 2
2012-12-11 00:13:20 -------- d-----w- C:\Users\Greg\AppData\Roaming\LolClient
2012-12-10 23:57:30 68616 ----a-w- C:\Windows\SysWow64\XAPOFX1_1.dll
2012-12-10 23:57:30 509448 ----a-w- C:\Windows\SysWow64\XAudio2_2.dll
2012-12-10 23:57:30 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
2012-12-10 23:57:30 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
2012-12-10 23:57:30 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
2012-12-10 23:54:20 -------- d-----w- C:\Riot Games
2012-12-10 23:31:42 -------- d-----w- C:\Users\Greg\.swt
2012-12-10 23:24:02 -------- d-----w- C:\Users\Greg\AppData\Local\Google
2012-12-10 23:23:45 -------- d-----w- C:\Users\Greg\AppData\Local\Deployment
2012-12-10 23:23:45 -------- d-----w- C:\Users\Greg\AppData\Local\Apps
2012-12-10 23:21:58 -------- d-----w- C:\Program Files\Ventrilo
2012-12-10 23:21:37 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-12-10 22:48:48 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-12-10 22:48:42 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2012-12-10 22:48:39 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2012-12-10 22:47:38 -------- d-----w- C:\Windows\Panther
2012-12-10 22:47:19 -------- d-----w- C:\Users\Greg\AppData\Local\Programs
2012-12-10 22:40:59 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-12-10 22:40:59 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-12-10 22:40:59 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-12-10 22:40:58 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-12-10 22:40:58 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-12-10 22:40:58 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-12-10 22:40:58 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-12-10 22:40:58 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-12-10 22:40:58 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2012-12-10 22:40:57 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-12-10 22:40:57 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-12-10 21:56:48 -------- d-----w- C:\Windows\System32\SPReview
2012-12-10 21:56:43 -------- d-----w- C:\Windows\System32\EventProviders
2012-12-10 21:48:59 932352 ----a-w- C:\Windows\SysWow64\printui.dll
2012-12-10 21:47:50 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2012-12-10 21:47:50 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2012-12-10 21:47:48 244736 ----a-w- C:\Windows\System32\sqmapi.dll
2012-12-10 21:46:30 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-12-10 21:46:30 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-12-10 21:46:30 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2012-12-10 21:37:40 -------- d-sh--w- C:\Windows\Installer
2012-12-10 21:35:55 -------- d-----w- C:\Windows\SysWow64\Wat
2012-12-10 21:35:55 -------- d-----w- C:\Windows\System32\Wat
2012-12-10 21:03:02 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2012-12-10 21:03:02 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2012-12-10 21:03:02 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2012-12-10 21:03:02 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2012-12-10 20:54:18 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-12-10 20:50:44 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2012-12-10 20:50:32 890216 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-12-10 20:50:32 63336 ----a-w- C:\Windows\System32\nvshext.dll
2012-12-10 20:50:32 6223208 ----a-w- C:\Windows\System32\nvcpl.dll
2012-12-10 20:50:32 3311464 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-12-10 20:50:32 2557800 ----a-w- C:\Windows\System32\nvsvcr.dll
2012-12-10 20:50:32 118120 ----a-w- C:\Windows\System32\nvmctray.dll
2012-12-10 20:50:24 60776 ----a-w- C:\Windows\System32\OpenCL.dll
2012-12-10 20:50:24 52584 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2012-12-10 20:50:11 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2012-12-10 20:50:08 -------- d-----w- C:\Program Files\NVIDIA Corporation
2012-12-10 20:45:16 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2012-12-10 20:45:16 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2012-12-10 20:45:15 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2012-12-10 20:45:15 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2012-12-10 20:45:15 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2012-12-10 20:45:15 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2012-12-10 20:45:15 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2012-12-10 20:43:14 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-12-10 20:43:14 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-12-10 20:43:14 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-12-10 20:43:14 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-12-10 20:43:14 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-12-10 20:40:52 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-12-10 20:39:58 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2012-12-10 20:33:04 77312 ----a-w- C:\Windows\System32\packager.dll
2012-12-10 20:33:04 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-12-10 20:29:58 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-12-10 20:29:54 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-12-10 20:29:52 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-12-10 20:29:52 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-12-01 03:43:52 438632 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
.
==================== Find3M ====================
.
2012-12-10 22:14:26 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-12-10 22:14:26 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-12-03 15:47:14 9271352 ----a-w- C:\Windows\System32\nvcuda.dll
2012-11-22 03:26:40 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-05 21:35:16 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-11-05 20:41:32 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-11-05 20:32:16 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-11-05 20:32:09 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll
2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
2012-11-01 20:31:48 450136 ----a-w- C:\Windows\System32\drivers\vsdatant.sys
2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll
2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
.
============= FINISH: 16:04:05.98 ===============

Help is greatly appreciated.

Attached Files



#4 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 18 December 2012 - 08:35 PM

Sorry, replying here to avoid cluttering the forum.

Thanks :)

Posted Image From Programs and Features (via Control Panel), please uninstall the below:
  • Java 7 Update 9 <== Outdated

__

Posted Image Please download RogueKiller to your desktop.
  • Now rename RogueKiller.exe to winlogon.exe
  • Double-click winlogon.exe to run.
  • When it opens, press the Scan button
  • When the scan is finished, press the Delete button.
  • When deleting is finished, press the Fix Host button.
  • Please attach all the logs from RogueKiller located on your desktop. Ignore the RK_Quarantine folder. We will delete it later.

__

  • Please download and install CCleaner Slim
  • Open CCleaner and click the Options button
  • Now choose Advanced
  • Uncheck everything here except for Skip User Account Control warning
  • Now click the Cleaner button and press the Run Cleaner button at the bottom right of the program.
  • If this is your first time running this program, a prompt may appear asking for confirmation to delete temporary files. Go ahead and proceed.


#5 Bumbaclot

Bumbaclot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 22 December 2012 - 03:54 PM

All right, RogueKiller found a bunch of junk and CCleaner seems to not be able to delete an IE5 temporary internet file named clients[1].txt?

Anyway, as instructed I have removed Java 7 Update 9 and the logs are attached. Thanks for the help so far.

Attached Files



#6 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 22 December 2012 - 04:04 PM

All right, RogueKiller found a bunch of junk and CCleaner seems to not be able to delete an IE5 temporary internet file named clients[1].txt?


Double-check that your browsers are closed before cleaning with CCleaner and try again. Let me know if the result is the same.

__

Posted Image Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

__

Posted Image Please download OTL.

  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Posted Image text-field.

    baseservices
    netsvcs
    
  • Now click the Posted Image button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Paste the contents of OTL.txt here for me to review but attach Extras.txt

Edited by thisisu, 22 December 2012 - 04:05 PM.


#7 Bumbaclot

Bumbaclot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 23 December 2012 - 10:39 AM

Okay, this is gettin' scary, but thanks for all your help so far thisisu.

As instructed, here is the Malwarebyte's log. I used Internet Explorer to 'Save As...' the file because apparently my Google Chrome installation will no longer allow me to do that? It just automatically starts downloading to my Downloads folder.

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.23.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Greg :: CELESTIAN [administrator]

Protection: Enabled

12/23/2012 10:19:58 AM
mbam-log-2012-12-23 (10-19-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221952
Time elapsed: 1 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


And here is the OTL.txt report:

Attached Files


Edited by thisisu, 23 December 2012 - 03:42 PM.
Attached the OTL report due to length


#8 Bumbaclot

Bumbaclot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 23 December 2012 - 10:43 AM

Sorry this is sloppy but the OTL.txt report is massive. Here it is continued, I made sure not to skip lines:

I followed all instructions as you said when running OTL and I have not clicked 'CleanUp,' however it might be worth mentioning that the program became unresponsive (Not-Responding) briefly when "Looking at C:\Program Files\WinRAR...," but I let it sit and it eventually picked back up. If that invalidates the log files or results in anyway I will be happy to rescan... re-download/rename or whatever.

Again thank you for all the help thus far!

Edited by thisisu, 23 December 2012 - 03:42 PM.
Moved OTL portion from this post to above


#9 Bumbaclot

Bumbaclot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 23 December 2012 - 10:49 AM

Would've edited my previous post to say this but it told me content was too long because the OTL.txt is huge, but I forgot to mention that CCleaner cannot seem to delete clients[1].txt, unless it is continually recreating itself, which I assume is the case. I have made sure all browsers are closed before scanning and running CCleaner as you instructed.

Another edit: ran OTL again, just because I was curious as to whether or not the program hanging like that was normal. The same thing happened, I also noticed when the program became responsive again, netsvcs was gone from the Custom Scans/Fixes bpx. That might be normal behavior but let me know.

Edited by Bumbaclot, 23 December 2012 - 11:05 AM.


#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 23 December 2012 - 04:04 PM

There's not really anything malicious in your logs but I do some event log errors of services/drivers hanging. Let's run a few more checks and see if any more information is revealed.

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

__

Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

__

Please download Puran Defrag Free Edition to your desktop.
[list]
Open Puran Defrag by double-clicking the icon on your desktop.
Select your C: drive and choose Boot Time Defrag => Restart>Defrag>Restart
Follow the prompts. This process can take an hour or two. Please be patient.

__

Once Puran Defrag is finished:

Download VEW by Vino Rosso http://images.malwareremoval.com/vino/VEW.exe
and save it to your desktop

Double click it to start it Note: If running Windows Vista or Windows 7 you will need to right click the file and select Run as administrator and click Continue or Allow at the User Account Control Prompt.

Click the check boxes next to Application and System located under Select log to query on the upper left

Under Select type to list on the right click the boxes next to Error and Warning Note: If running Windows Vista or Windows 7 also click the box next to Critical (not XP).

Under Number or date of events select Number of events and type 20 in the box next to 1 to 20 and click Run

Once it finishes it will display a log file in notepad

Please copy and paste its entire contents into your next reply

Edited by thisisu, 23 December 2012 - 04:06 PM.


#11 Bumbaclot

Bumbaclot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 23 December 2012 - 06:49 PM

Here is JRT.txt:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.2.4 (12.21.2012:3)
OS: Windows 7 Ultimate x64
Ran by Greg on Sun 12/23/2012 at 18:02:21.31
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\crossrider



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/23/2012 at 18:06:54.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


AdwCleaner:

# AdwCleaner v2.102 - Logfile created 12/23/2012 at 18:10:17
# Updated 23/12/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Greg - CELESTIAN
# Boot Mode : Normal
# Running from : C:\Users\Greg\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [650 octets] - [23/12/2012 18:10:17]

########## EOF - C:\AdwCleaner[S1].txt - [709 octets] ##########


And VEW:

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 23/12/2012 6:46:34 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 7010 Source: Microsoft-Windows-Search
The index cannot be initialized.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)


Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 3058 Source: Microsoft-Windows-Search
The application cannot be initialized.

Context: Windows Application

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)


Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 3028 Source: Microsoft-Windows-Search
The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)


Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 3029 Source: Microsoft-Windows-Search
The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
Element not found. (HRESULT : 0x80070490) (0x80070490)


Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 3029 Source: Microsoft-Windows-Search
The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)


Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 1
Event: 9002 Source: Microsoft-Windows-Search
The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
The content index database is corrupt. (HRESULT : 0xc0041800) (0xc0041800)


Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 7042 Source: Microsoft-Windows-Search
The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)


Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 7040 Source: Microsoft-Windows-Search
The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)


Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 9000 Source: Microsoft-Windows-Search
The event description cannot be found.

Log: 'Application' Date/Time: 23/12/2012 11:12:11 PM
Type: Error Category: 3
Event: 455 Source: ESENT
Windows (2436) Windows: Error -1811 occurred while opening logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS0000D.log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 23/12/2012 11:12:41 PM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Index Corruption}.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 23/12/2012 11:38:17 PM
Type: Error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: cdrom

Log: 'System' Date/Time: 23/12/2012 11:37:39 PM
Type: Error Category: 0
Event: 46 Source: volmgr
Crash dump initialization failed!

Log: 'System' Date/Time: 23/12/2012 11:16:42 PM
Type: Error Category: 0
Event: 25 Source: volsnap
The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.

Log: 'System' Date/Time: 23/12/2012 11:12:38 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 23/12/2012 11:12:38 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Log: 'System' Date/Time: 23/12/2012 11:12:24 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 23/12/2012 11:12:24 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Log: 'System' Date/Time: 23/12/2012 11:12:24 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 23/12/2012 11:12:24 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Log: 'System' Date/Time: 23/12/2012 11:12:23 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 23/12/2012 11:12:23 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Log: 'System' Date/Time: 23/12/2012 11:12:23 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 23/12/2012 11:12:23 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Log: 'System' Date/Time: 23/12/2012 11:12:19 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 23/12/2012 11:12:19 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Log: 'System' Date/Time: 23/12/2012 11:12:18 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 23/12/2012 11:12:18 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Log: 'System' Date/Time: 23/12/2012 11:12:18 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 23/12/2012 11:12:18 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Log: 'System' Date/Time: 23/12/2012 11:12:18 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 23/12/2012 11:37:44 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device USB\VID_054C&PID_059B\0E4A2324151368.

Log: 'System' Date/Time: 23/12/2012 11:15:50 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device USB\VID_054C&PID_059B\0E4A2324151368.

Log: 'System' Date/Time: 23/12/2012 11:11:35 PM
Type: Warning Category: 212
Event: 219 Source: Microsoft-Windows-Kernel-PnP
The driver \Driver\WUDFRd failed to load for the device USB\VID_054C&PID_059B\0E4A2324151368.


RogueKiller did not fix my hosts file, if that is worth mentioning.

#12 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 24 December 2012 - 03:16 AM

RogueKiller did not fix my hosts file, if that is worth mentioning.

The hosts file got changed back due to Spybot Search & Destroy's Immunization feature. You can uninstall this application if you want to but it's not necessary.

Please describe what problems remain, if any.

#13 Bumbaclot

Bumbaclot
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 24 December 2012 - 03:15 PM

If I go into my C:\Users\Greg folder, I will see all My Documents, My Pictures, etc., but I will also see three files named NTUSER, ntuser.dat.log1, and ntuser.dat.log2. I cannot delete these files as they are "currently in use" according to my operating system. If these files are normal, and simply usually just hidden from view, please do let me know. They've been sketching me out for a while.

Also, Spybot keeps detecting these entries:

Search results from Spybot - Search & Destroy

12/24/2012 3:07:25 PM
Scan took 00:13:54.
7 items found.

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-2140233807-2098949918-1880898183-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-2140233807-2098949918-1880898183-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-2140233807-2098949918-1880898183-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id

Cache: [SBI $49804B54] Browser: Cache (2) (Browser: Cache, nothing done)


History: [SBI $49804B54] Browser: History (5) (Browser: History, nothing done)



--- Spybot - Search & Destroy version: 2.0.12.131 DLL (build: 20121113) ---

2012-11-13 blindman.exe (2.0.12.151)
2012-11-13 explorer.exe (2.0.12.173)
2012-11-13 SDBootCD.exe (2.0.12.109)
2012-11-13 SDCleaner.exe (2.0.12.110)
2012-11-13 SDDelFile.exe (2.0.12.94)
2012-11-13 SDFiles.exe (2.0.12.135)
2012-11-13 SDFileScanHelper.exe (2.0.12.1)
2012-11-13 SDFSSvc.exe (2.0.12.205)
2012-11-13 SDImmunize.exe (2.0.12.130)
2012-11-13 SDLogReport.exe (2.0.12.107)
2012-11-13 SDPESetup.exe (2.0.12.3)
2012-11-13 SDPEStart.exe (2.0.12.86)
2012-11-13 SDPhoneScan.exe (2.0.12.27)
2012-11-13 SDPRE.exe (2.0.12.13)
2012-11-13 SDPrepPos.exe (2.0.12.10)
2012-11-13 SDQuarantine.exe (2.0.12.103)
2012-11-13 SDRootAlyzer.exe (2.0.12.116)
2012-11-13 SDSBIEdit.exe (2.0.12.39)
2012-11-13 SDScan.exe (2.0.12.173)
2012-11-13 SDScript.exe (2.0.12.53)
2012-11-13 SDSettings.exe (2.0.12.130)
2012-11-13 SDShred.exe (2.0.12.105)
2012-11-13 SDSysRepair.exe (2.0.12.101)
2012-11-13 SDTools.exe (2.0.12.150)
2012-11-13 SDTray.exe (2.0.12.127)
2012-11-13 SDUpdate.exe (2.0.12.89)
2012-11-13 SDUpdSvc.exe (2.0.12.76)
2012-11-13 SDWelcome.exe (2.0.12.126)
2012-11-13 SDWSCSvc.exe (2.0.12.2)
2012-12-10 unins000.exe (51.1052.0.0)
1999-12-02 xcacls.exe
2012-08-23 borlndmm.dll (10.0.2288.42451)
2012-09-05 DelZip190.dll (1.9.0.107)
2012-09-10 libeay32.dll (1.0.0.4)
2012-09-10 libssl32.dll (1.0.0.4)
2012-11-13 SDAdvancedCheckLibrary.dll (2.0.12.98)
2012-11-13 SDECon32.dll (2.0.12.113)
2012-11-13 SDECon64.dll (2.0.12.113)
2012-11-13 SDEvents.dll (2.0.12.2)
2012-11-13 SDFileScanLibrary.dll (2.0.12.9)
2012-11-13 SDHelper.dll (2.0.12.88)
2012-11-13 SDImmunizeLibrary.dll (2.0.12.2)
2012-11-13 SDLists.dll (2.0.12.4)
2012-11-13 SDResources.dll (2.0.12.7)
2012-11-13 SDScanLibrary.dll (2.0.12.131)
2012-11-13 SDTasks.dll (2.0.12.15)
2012-11-13 SDWinLogon.dll (2.0.12.0)
2012-08-23 sqlite3.dll
2012-09-10 ssleay32.dll (1.0.0.4)
2012-11-13 Tools.dll (2.0.12.36)
2012-11-13 UninsSrv.dll (2.0.12.52)
2012-11-20 Includes\Adware.sbi (*)
2012-12-04 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2012-11-14 Includes\Dialer.sbi (*)
2012-11-14 Includes\DialerC.sbi (*)
2012-11-14 Includes\HeavyDuty.sbi (*)
2012-11-14 Includes\Hijackers.sbi (*)
2012-11-14 Includes\HijackersC.sbi (*)
2012-11-14 Includes\iPhone.sbi (*)
2012-11-14 Includes\Keyloggers.sbi (*)
2012-11-14 Includes\KeyloggersC.sbi (*)
2012-11-21 Includes\Malware.sbi (*)
2012-12-04 Includes\MalwareC.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2012-12-05 Includes\PUPSC.sbi (*)
2012-11-14 Includes\Security.sbi (*)
2012-11-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-11-14 Includes\Spyware.sbi (*)
2012-11-14 Includes\SpywareC.sbi (*)
2011-06-07 Includes\Tracks.sbi (*)
2012-11-19 Includes\Tracks.uti (*)
2012-11-14 Includes\Trojans.sbi (*)
2012-11-14 Includes\TrojansC-02.sbi (*)
2012-12-05 Includes\TrojansC-03.sbi (*)
2012-11-29 Includes\TrojansC-04.sbi (*)
2012-11-14 Includes\TrojansC-05.sbi (*)
2012-12-03 Includes\TrojansC.sbi (*)


I understand the bottom dated list of files are immunizations and not actual infections, but the system scanner keeps detecting the above values. If I should be adding any of these detections to my white list let me know.

So far I haven't experienced anymore random application hangs but I also have not been using my computer much since your last set of cleaning instructions. I will let you know if scans come up with any more infections.

#14 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 26 December 2012 - 12:28 AM

If these files are normal, and simply usually just hidden from view, please do let me know.

They are normal and should not be deleted. I believe the control information about the registry for your user profile.

Also the items in Spybot's log are not malicious and probably changes depending on a video game you may play that makes use of Direct3D acceleration (video card related I think).
It's just listing the last application that made use of it.

#15 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:54 PM

Posted 28 December 2012 - 02:29 PM

Any other questions or concerns? How has the PC been running for the past few days?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users