Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.Boot.Pihar.c - BSOD Windows 7


  • This topic is locked This topic is locked
14 replies to this topic

#1 DigitalFool

DigitalFool

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 15 December 2012 - 10:41 PM

A week ago, ran into an issue with Rootkit.Boot.Pihar.c. I thought I had it solved, but not only is it back, it seems much worse.
It's very difficult to stay booted into Windows normally, as it results in BSOD within minutes. Safe mode is OK.

Back when I had the issue, I saw mention of TDSSKiller and it did find and repair Rootkit.Boot.Pihar.c.

Here was the log:

18:45:40.0988 2720  ================ Scan MBR ==================================
18:45:40.0998 2720  [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
18:45:40.0998 2720  Suspicious mbr (Forged): \Device\Harddisk0\DR0
18:45:41.0068 2720  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
18:45:41.0068 2720  \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
18:45:41.0068 2720  ================ Scan VBR ==================================
18:45:41.0068 2720  [ 5A661E3054F1C7E1CB746AF26839902B ] \Device\Harddisk0\DR0\Partition1
18:45:41.0078 2720  \Device\Harddisk0\DR0\Partition1 - ok
18:45:41.0088 2720  [ 75CA67867575A41AB9A1A56F5D12DB6B ] \Device\Harddisk0\DR0\Partition2
18:45:41.0088 2720  \Device\Harddisk0\DR0\Partition2 - ok
18:45:41.0088 2720  ============================================================
18:45:41.0088 2720  Scan finished
18:45:41.0088 2720  ============================================================
18:45:41.0108 4016  Detected object count: 1
18:45:41.0108 4016  Actual detected object count: 1
18:45:53.0030 4016  \Device\Harddisk0\DR0\# - copied to quarantine
18:45:53.0100 4016  \Device\Harddisk0\DR0 - copied to quarantine
18:45:56.0142 4016  \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
18:45:56.0262 4016  \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
18:45:56.0292 4016  \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
18:45:56.0352 4016  \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
18:45:56.0392 4016  \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
18:45:56.0402 4016  \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
18:45:56.0402 4016  \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
18:45:56.0608 4016  \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
18:45:56.0633 4016  \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
18:45:56.0652 4016  \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
18:45:56.0658 4016  \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
18:45:56.0662 4016  \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
18:45:56.0734 4016  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
18:45:56.0734 4016  \Device\Harddisk0\DR0 - ok
18:45:56.0734 4016  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure 
18:46:00.0659 4796  Deinitialize success

Starting today, I received the BSOD repeatedly. So I ran TDSSKiller again, it finds Rootkit.Boot.Pihar.c, but when I try to cure I get BSOD. Is there another way to cure it?

Windows 7 Home x64
Running Security Essentials

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 AM

Posted 15 December 2012 - 10:44 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]


NEXT



  • Download ListParts64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:\listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
[*]Close the command window.
[*]Boot back into normal mode and post me the Result.txt log please.
[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 DigitalFool

DigitalFool
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 15 December 2012 - 11:24 PM


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012

Ran by SYSTEM at 15-12-2012 22:10:02

Running from G:\

Windows 7 Home Premium   (X64) OS Language: English(US) 

The current controlset is ControlSet001



==================== Registry (Whitelisted) ===================



HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1808680 2009-06-25] (Synaptics Incorporated)

HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [444416 2009-06-29] (IDT, Inc.)

HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3180624 2009-07-02] (Dell Inc.)

HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1289704 2012-09-12] (Microsoft Corporation)

HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)

HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)

HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()

HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)

HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG)

HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)

HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKU\User\...\Run: [Google Update] "C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-07-30] (Google Inc.)

HKU\User\...\Run: [Spotify Web Helper] "C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-11-20] (Spotify Ltd)

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\User\Start Menu\Programs\Startup\Dell Dock.lnk

ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)



==================== Services (Whitelisted) ===================



2 DisplayLinkService; "C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe" [9663848 2011-04-10] (DisplayLink Corp.)

2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)

3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)

2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe [240128 2009-06-29] (IDT, Inc.)

2 vseamps; "C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe" [149544 2010-04-08] (Authentium, Inc)

2 vsedsps; "C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe" [148008 2010-04-08] (Authentium, Inc)

2 vseqrts; "C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe" [205352 2010-04-08] (Authentium, Inc)



==================== Drivers (Whitelisted) =====================



3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [17408 2011-04-10] (http://libusb-win32.sourceforge.net)

0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)

2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)



==================== NetSvcs (Whitelisted) ====================





==================== One Month Created Files and Folders ========



2012-12-15 19:21 - 2012-12-15 19:21 - 00285368 ____A C:\Windows\Minidump\121512-21777-01.dmp

2012-12-15 19:15 - 2012-12-15 19:15 - 00281264 ____A C:\Windows\Minidump\121512-32448-01.dmp

2012-12-15 19:03 - 2012-12-15 19:03 - 00270992 ____A C:\Windows\Minidump\121512-43820-01.dmp

2012-12-15 16:31 - 2012-12-15 16:31 - 00277136 ____A C:\Windows\Minidump\121512-35022-01.dmp

2012-12-15 16:28 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe

2012-12-15 14:48 - 2012-12-15 14:48 - 00277136 ____A C:\Windows\Minidump\121512-34133-01.dmp

2012-12-14 19:58 - 2012-12-14 19:58 - 00277136 ____A C:\Windows\Minidump\121412-24024-01.dmp

2012-12-14 16:53 - 2012-12-14 16:53 - 00277136 ____A C:\Windows\Minidump\121412-23899-01.dmp

2012-12-08 16:45 - 2012-12-15 19:13 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-12-08 16:44 - 2012-12-08 16:44 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\User\Desktop\123.com.exe

2012-12-08 16:36 - 2012-12-08 16:36 - 00268696 ____A C:\Windows\Minidump\120812-43571-01.dmp

2012-12-08 06:23 - 2012-12-08 06:24 - 00277136 ____A C:\Windows\Minidump\120812-40232-01.dmp

2012-12-07 22:11 - 2012-12-08 13:23 - 00000000 ____D C:\Windows\Microsoft Antimalware

2012-11-16 06:57 - 2012-11-16 06:57 - 00001024 ____A C:\Users\User\Downloads\Activity.CSV

2012-11-16 01:11 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf

2012-11-16 01:10 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys

2012-11-16 01:10 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys

2012-11-16 01:10 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll

2012-11-16 01:04 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-11-16 01:04 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-11-16 01:04 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-11-16 01:04 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-11-16 01:04 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-11-16 01:04 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-11-16 01:04 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-11-16 01:04 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-11-16 01:04 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-11-16 01:04 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-11-16 01:04 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-11-16 01:04 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-11-16 01:04 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-11-16 01:04 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-11-16 01:04 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-11-16 01:04 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-11-16 01:04 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-11-16 01:04 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-11-16 01:04 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-11-16 01:04 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-11-16 01:04 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-11-16 01:04 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-11-16 01:04 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-11-16 01:04 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-11-16 01:04 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-11-16 01:04 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-11-16 01:04 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-11-16 01:04 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-11-16 01:04 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-11-16 01:04 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-11-16 01:04 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-11-16 01:04 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-11-16 01:01 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll

2012-11-16 01:01 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe

2012-11-16 01:01 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll

2012-11-16 01:01 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll

2012-11-16 01:01 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll

2012-11-16 01:01 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys

2012-11-16 01:01 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys

2012-11-16 01:01 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf

2012-11-15 23:54 - 2012-10-18 10:25 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-11-15 23:54 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll

2012-11-15 23:54 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll

2012-11-15 23:54 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll

2012-11-15 23:54 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll

2012-11-15 23:54 - 2012-10-03 09:56 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-11-15 23:54 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll

2012-11-15 23:54 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll

2012-11-15 23:54 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll

2012-11-15 23:54 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll

2012-11-15 23:54 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll

2012-11-15 23:54 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll

2012-11-15 23:54 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll

2012-11-15 23:54 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll

2012-11-15 23:54 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll

2012-11-15 23:54 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys

2012-11-15 23:54 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll

2012-11-15 23:54 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll

2012-11-15 23:54 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll





==================== One Month Modified Files and Folders =======



2012-12-15 22:09 - 2012-12-15 22:09 - 00000000 ____D C:\FRST

2012-12-15 19:31 - 2009-07-13 21:10 - 01851417 ____A C:\Windows\WindowsUpdate.log

2012-12-15 19:21 - 2012-12-15 19:21 - 00285368 ____A C:\Windows\Minidump\121512-21777-01.dmp

2012-12-15 19:21 - 2010-05-20 16:08 - 00000000 ____D C:\Windows\Minidump

2012-12-15 19:20 - 2010-05-20 16:08 - 308087775 ____A C:\Windows\MEMORY.DMP

2012-12-15 19:18 - 2010-01-29 21:36 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-12-15 19:18 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-12-15 19:18 - 2009-07-13 20:51 - 00078776 ____A C:\Windows\setupact.log

2012-12-15 19:15 - 2012-12-15 19:15 - 00281264 ____A C:\Windows\Minidump\121512-32448-01.dmp

2012-12-15 19:13 - 2012-12-08 16:45 - 00000000 ____D C:\TDSSKiller_Quarantine

2012-12-15 19:09 - 2010-01-29 21:36 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-12-15 19:09 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-12-15 19:09 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-12-15 19:03 - 2012-12-15 19:03 - 00270992 ____A C:\Windows\Minidump\121512-43820-01.dmp

2012-12-15 16:31 - 2012-12-15 16:31 - 00277136 ____A C:\Windows\Minidump\121512-35022-01.dmp

2012-12-15 16:26 - 2010-01-05 19:54 - 00039058 ____A C:\Windows\PFRO.log

2012-12-15 14:48 - 2012-12-15 14:48 - 00277136 ____A C:\Windows\Minidump\121512-34133-01.dmp

2012-12-14 19:58 - 2012-12-14 19:58 - 00277136 ____A C:\Windows\Minidump\121412-24024-01.dmp

2012-12-14 18:33 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

2012-12-14 18:33 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat

2012-12-14 18:32 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration

2012-12-14 16:53 - 2012-12-14 16:53 - 00277136 ____A C:\Windows\Minidump\121412-23899-01.dmp

2012-12-14 16:53 - 2010-01-11 19:01 - 00000000 ____D C:\users\User

2012-12-13 01:00 - 2012-06-08 17:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-12-13 01:00 - 2010-07-30 07:44 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099096433-2408369735-2771841108-1000UA.job

2012-12-12 16:15 - 2011-08-07 19:39 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099096433-2408369735-2771841108-1000Core1cc557cc46fa2d3.job

2012-12-11 18:02 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep

2012-12-11 17:56 - 2012-06-08 17:46 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2012-12-11 17:56 - 2012-06-08 17:46 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2012-12-08 16:44 - 2012-12-08 16:44 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\User\Desktop\123.com.exe

2012-12-08 16:36 - 2012-12-08 16:36 - 00268696 ____A C:\Windows\Minidump\120812-43571-01.dmp

2012-12-08 13:23 - 2012-12-07 22:11 - 00000000 ____D C:\Windows\Microsoft Antimalware

2012-12-08 06:24 - 2012-12-08 06:23 - 00277136 ____A C:\Windows\Minidump\120812-40232-01.dmp

2012-12-07 20:00 - 2009-07-13 21:13 - 00005152 ____A C:\Windows\System32\PerfStringBackup.INI

2012-12-07 05:15 - 2010-05-20 19:33 - 00000000 ____D C:\Users\User\Desktop\ISO

2012-12-07 02:16 - 2010-07-30 07:45 - 00002485 ____A C:\Users\User\Desktop\Google Chrome.lnk

2012-12-06 18:15 - 2010-05-31 11:46 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-12-06 18:06 - 2010-05-31 11:46 - 00000000 ____D C:\Users\All Users\Malwarebytes

2012-11-20 17:01 - 2011-11-08 18:55 - 00000000 ____D C:\Users\User\AppData\Roaming\Spotify

2012-11-20 16:34 - 2011-11-08 18:55 - 00000000 ____D C:\Users\User\AppData\Local\Spotify

2012-11-16 06:57 - 2012-11-16 06:57 - 00001024 ____A C:\Users\User\Downloads\Activity.CSV

2012-11-16 01:34 - 2010-01-11 19:01 - 00127312 ____A C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT

2012-11-16 01:33 - 2009-07-13 20:45 - 00451752 ____A C:\Windows\System32\FNTCACHE.DAT

2012-11-16 01:15 - 2010-03-14 16:14 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-11-16 01:01 - 2010-02-27 17:43 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2012-11-16 01:00 - 2009-07-13 18:34 - 00000545 ____A C:\Windows\win.ini





ATTENTION: ========> Check for possible partition/boot infection:

C:\Windows\svchost.exe



==================== Known DLLs (Whitelisted) =================





==================== Bamital & volsnap Check =================



C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit



TDL4: custom:26000022 <===== ATTENTION!



==================== EXE ASSOCIATION =====================



HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK



==================== Restore Points  =========================



Restore point made on: 2012-12-02 14:53:19

Restore point made on: 2012-12-03 01:00:32

Restore point made on: 2012-12-05 17:23:35

Restore point made on: 2012-12-06 01:00:33

Restore point made on: 2012-12-06 18:24:42

Restore point made on: 2012-12-07 01:00:31

Restore point made on: 2012-12-10 18:00:15

Restore point made on: 2012-12-13 01:00:43



==================== Memory info =========================== 



Percentage of memory in use: 15%

Total physical RAM: 4056.36 MB

Available physical RAM: 3434.08 MB

Total Pagefile: 4054.51 MB

Available Pagefile: 3421.86 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB



==================== Partitions =============================



1 Drive c: (OS) (Fixed) (Total:224.4 GB) (Free:81.32 GB) NTFS

4 Drive g: (WDO_Media64) (Removable) (Total:1.86 GB) (Free:1.83 GB) NTFS

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

6 Drive y: (RECOVERY) (Fixed) (Total:8.42 GB) (Free:4.4 GB) NTFS ==>[System with boot components (obtained from reading drive)]

ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.



  Disk ###  Status         Size     Free     Dyn  Gpt

  --------  -------------  -------  -------  ---  ---

  Disk 0    Online          232 GB      0 B         

  Disk 1    No Media           0 B      0 B         

  Disk 2    Online         1909 MB      0 B         



Partitions of Disk 0:

===============



  Partition ###  Type              Size     Offset

  -------------  ----------------  -------  -------

  Partition 1    OEM                 70 MB    31 KB

  Partition 2    Primary              8 GB    71 MB

  Partition 3    Primary            224 GB     8 GB



==================================================================================



Disk: 0

Partition 1

Type  : DE

Hidden: Yes

Active: No



  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info

  ----------  ---  -----------  -----  ----------  -------  ---------  --------

* Volume 5                      FAT    Partition     70 MB  Healthy    Hidden  



=========================================================



Disk: 0

Partition 2

Type  : 07

Hidden: No

Active: Yes



  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info

  ----------  ---  -----------  -----  ----------  -------  ---------  --------

* Volume 1     Y   RECOVERY     NTFS   Partition      8 GB  Healthy            



=========================================================



Disk: 0

Partition 3

Type  : 07

Hidden: No

Active: No



  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info

  ----------  ---  -----------  -----  ----------  -------  ---------  --------

* Volume 2     C   OS           NTFS   Partition    224 GB  Healthy            



=========================================================



Partitions of Disk 2:

===============



  Partition ###  Type              Size     Offset

  -------------  ----------------  -------  -------

  Partition 1    Primary           1909 MB    64 KB



==================================================================================



Disk: 2

Partition 1

Type  : 07

Hidden: No

Active: Yes



  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info

  ----------  ---  -----------  -----  ----------  -------  ---------  --------

* Volume 4     G   WDO_Media64  NTFS   Removable   1909 MB  Healthy            



=========================================================



Last Boot: 2012-12-06 03:27



==================== End Of Log =============================



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 AM

Posted 16 December 2012 - 08:15 AM

were you able to run the ListParts64 tool as well, I'd like to see both logs before giving the fix

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 DigitalFool

DigitalFool
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 December 2012 - 11:11 AM

Missed that part, sorry -

ListParts by Farbar Version: 30-10-2012
Ran by SYSTEM (administrator) on 16-12-2012 at 09:55:04
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ====================== 

Percentage of memory in use: 11%
Total physical RAM: 4056.36 MB
Available physical RAM: 3594.66 MB
Total Pagefile: 4054.51 MB
Available Pagefile: 3574.37 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (RECOVERY) (Fixed) (Total:8.42 GB) (Free:4.4 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (OS) (Fixed) (Total:224.4 GB) (Free:82.18 GB) NTFS
5 Drive g: (WDO_Media64) (Removable) (Total:1.86 GB) (Free:1.83 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          232 GB      0 B         
  Disk 1    No Media           0 B      0 B         
  Disk 2    Online         1909 MB      0 B         

Partitions of Disk 0:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 70 MB    31 KB
  Partition 2    Primary              8 GB    71 MB
  Partition 3    Primary            224 GB     8 GB

======================================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5                      FAT    Partition     70 MB  Healthy    Hidden  

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   RECOVERY     NTFS   Partition      8 GB  Healthy            

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     D   OS           NTFS   Partition    224 GB  Healthy            

======================================================================================================

Partitions of Disk 2:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1909 MB    64 KB

======================================================================================================

Disk: 2
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G   WDO_Media64  NTFS   Removable   1909 MB  Healthy            

======================================================================================================
==========================================================
TDL4: custom:26000022


****** End Of Log ****** 


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 AM

Posted 16 December 2012 - 11:49 AM

We are going to remove the main infections, boot the system and clean any leftovers from normal mode.

Please make sure you do all the steps in the order they are written.

  • Download [attachment=133269:fix.txt]
    Save it to your flash drive.
  • Please download [attachment=133270:FixList.txt]
    Save it to your flash drive.
  • Boot to System Recovery Options and select "Command Prompt".

    Run FRST64 and press the Fix button just once and wait.

    The tool will make a log on the flashdrive (Fixlog.txt) please post it later on to your reply. You may close the FRST tool.
  • While still in the recovery environment run ListParts by typing g:\listparts64 in the command prompt and pressing Enter.
    Click Fix
    Close the pop up after the fix is done
  • Please restart, let it boot normally and tell me how it went.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 DigitalFool

DigitalFool
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 December 2012 - 12:02 PM

I'm in normal mode now, everything seems good so far.

PLfixlog

Script used: "Disk=0 partition=2 inactive"
Script used: "Disk=0 partition=2 active"
Script used: "Disk=0 partition=2 inactive"
Script used: "Disk=0 partition=2 active"
Script used: "custom"

An error occurred while attempting to delete the specified data element.
Element not found.

Fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012
Ran by SYSTEM at 2012-12-16 10:55:58 Run:1
Running from G:\

==============================================

C:\Windows\svchost.exe moved successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 AM

Posted 16 December 2012 - 12:41 PM

that looks good, please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 DigitalFool

DigitalFool
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 December 2012 - 06:59 PM


ComboFix 12-12-14.01 - User 12/16/2012  16:52:55.1.2 - x64

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4056.2459 [GMT -6:00]

Running from: c:\users\User\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\id.txt

c:\windows\COUPon~1.ocx

c:\windows\SysWow64\URTTemp

c:\windows\SysWow64\URTTemp\regtlib.exe

.

.

(((((((((((((((((((((((((   Files Created from 2012-11-16 to 2012-12-16  )))))))))))))))))))))))))))))))

.

.

2012-12-16 23:33 . 2012-12-16 23:33	--------	d-----w-	c:\users\Default\AppData\Local\temp

2012-12-16 17:25 . 2012-12-16 17:25	76232	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B517BF6B-F34F-4A2B-B6F1-AAACA89A5B0F}\offreg.dll

2012-12-16 16:13 . 2012-11-08 17:24	9125352	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B517BF6B-F34F-4A2B-B6F1-AAACA89A5B0F}\mpengine.dll

2012-12-16 15:36 . 2012-11-08 17:24	9125352	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-12-16 06:09 . 2012-12-16 06:09	--------	d-----w-	C:\FRST

2012-12-16 04:23 . 2012-11-02 05:59	478208	----a-w-	c:\windows\system32\dpnet.dll

2012-12-16 04:23 . 2012-11-02 05:11	376832	----a-w-	c:\windows\SysWow64\dpnet.dll

2012-12-09 00:45 . 2012-12-09 00:45	--------	d-----w-	C:\TDSSKiller_Quarantine

2012-12-08 06:11 . 2012-12-08 21:23	--------	d-----w-	c:\windows\Microsoft Antimalware

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-16 15:47 . 2010-02-28 01:43	67413224	----a-w-	c:\windows\system32\MRT.exe

2012-12-12 01:56 . 2012-06-09 01:46	73656	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-12 01:56 . 2012-06-09 01:46	697272	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe

2012-10-16 08:38 . 2012-12-07 02:20	135168	----a-w-	c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2012-12-07 02:20	350208	----a-w-	c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2012-12-07 02:20	561664	----a-w-	c:\windows\apppatch\AcLayers.dll

2012-10-09 18:17 . 2012-11-16 07:54	55296	----a-w-	c:\windows\system32\dhcpcsvc6.dll

2012-10-09 18:17 . 2012-11-16 07:54	226816	----a-w-	c:\windows\system32\dhcpcore6.dll

2012-10-09 17:40 . 2012-11-16 07:54	44032	----a-w-	c:\windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40 . 2012-11-16 07:54	193536	----a-w-	c:\windows\SysWow64\dhcpcore6.dll

2012-10-08 11:13 . 2012-11-16 09:04	96768	----a-w-	c:\windows\system32\mshtmled(35).dll

2012-10-04 16:40 . 2012-12-16 04:24	44032	----a-w-	c:\windows\apppatch\acwow64.dll

2012-10-03 17:56 . 2012-11-16 07:54	1914248	----a-w-	c:\windows\system32\drivers\tcpip.sys

2012-10-03 17:44 . 2012-11-16 07:54	70656	----a-w-	c:\windows\system32\nlaapi.dll

2012-10-03 17:44 . 2012-11-16 07:54	303104	----a-w-	c:\windows\system32\nlasvc.dll

2012-10-03 17:44 . 2012-11-16 07:54	246272	----a-w-	c:\windows\system32\netcorehc.dll

2012-10-03 17:44 . 2012-11-16 07:54	18944	----a-w-	c:\windows\system32\netevent.dll

2012-10-03 17:44 . 2012-11-16 07:54	216576	----a-w-	c:\windows\system32\ncsi.dll

2012-10-03 17:42 . 2012-11-16 07:54	569344	----a-w-	c:\windows\system32\iphlpsvc.dll

2012-10-03 16:42 . 2012-11-16 07:54	175104	----a-w-	c:\windows\SysWow64\netcorehc.dll

2012-10-03 16:42 . 2012-11-16 07:54	18944	----a-w-	c:\windows\SysWow64\netevent.dll

2012-10-03 16:42 . 2012-11-16 07:54	156672	----a-w-	c:\windows\SysWow64\ncsi.dll

2012-10-03 16:07 . 2012-11-16 07:54	45568	----a-w-	c:\windows\system32\drivers\tcpipreg.sys

2012-10-02 23:52 . 2012-02-11 03:05	972192	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2012-09-30 01:54 . 2010-05-31 19:46	25928	----a-w-	c:\windows\system32\drivers\mbam.sys

2012-09-25 22:47 . 2012-11-16 07:54	78336	----a-w-	c:\windows\SysWow64\synceng.dll

2012-09-25 22:46 . 2012-11-16 07:54	95744	----a-w-	c:\windows\system32\synceng.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Spotify Web Helper"="c:\users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-11-21 1199576]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]

"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]

"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]

"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-09-30 1089608]

.

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]

R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [2011-04-11 17408]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-21 1255736]

S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-04-10 13936]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]

S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-04-10 9663848]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2010-04-08 149544]

S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2010-04-08 148008]

S2 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2010-04-08 205352]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]

S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-04-10 206960]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-05-09 215552]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-05-20 393728]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 58747570

*Deregistered* - 58747570

.

Contents of the 'Scheduled Tasks' folder

.

2012-12-16 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-09 01:56]

.

2012-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 05:36]

.

2012-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 05:36]

.

2012-12-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099096433-2408369735-2771841108-1000Core1cc557cc46fa2d3.job

- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-30 00:25]

.

2012-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099096433-2408369735-2771841108-1000UA.job

- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-30 00:25]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-30 165912]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-30 385560]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-30 365080]

"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.yahoo.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: kodakgallery.com\www

TCP: DhcpNameServer = 192.168.0.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-87737651.sys

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-12-16  17:49:55

ComboFix-quarantined-files.txt  2012-12-16 23:49

.

Pre-Run: 101,165,068,288 bytes free

Post-Run: 102,422,458,368 bytes free

.

- - End Of File - - FB5B67655EB7AC8BDE37DE2D73434194


Edited by DigitalFool, 16 December 2012 - 07:03 PM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 AM

Posted 16 December 2012 - 07:25 PM

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 DigitalFool

DigitalFool
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 December 2012 - 11:12 PM

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.1.6 (12.15.2012:2)
OS: Windows 7 Home Premium x64
Ran by User on Sun 12/16/2012 at 18:33:19.47
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\classes\appid\iehelperv2.5.0.dll
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\iehelperv250.wecarereminder
Successfully deleted: [Registry Key] hkey_local_machine\software\classes\iehelperv250.wecarereminder.1
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d824f0de-3d60-4f57-9eb1-66033ecd8abb}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d824f0de-3d60-4f57-9eb1-66033ecd8abb}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\wecarereminder"
Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/16/2012 at 18:41:33.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ADWCleaner

# AdwCleaner v2.101 - Logfile created 12/16/2012 at 19:07:28
# Updated 16/12/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : User - LAPTOP-PC
# Boot Mode : Normal
# Running from : C:\Users\User\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.97

File : C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1414 octets] - [16/12/2012 19:07:28]

########## EOF - C:\AdwCleaner[S1].txt - [1474 octets] ##########

MalwareBytes

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.16.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
User :: LAPTOP-PC [administrator]

12/16/2012 7:17:13 PM
mbam-log-2012-12-16 (19-17-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213132
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET

C:\TDSSKiller_Quarantine\08.12.2012_18.45.14\mbr0000\tdlfs0000\tsk0001.dta	a variant of Win64/Olmarik.AM trojan
C:\TDSSKiller_Quarantine\15.12.2012_21.11.50\mbr0000\tdlfs0000\tsk0001.dta	a variant of Win64/Olmarik.AM trojan


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 AM

Posted 16 December 2012 - 11:16 PM

Please run the following:

Visit ADOBE and download the latest version of Acrobat Reader (version XI)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and Save it to your Desktop.
  • Scroll down to where it says Java SE 7u9
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u9-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are three options in the window to clear the cache - Leave these two Checked

    Trace and Log Files
    Cached Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
[/list]


NEXT



Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 DigitalFool

DigitalFool
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 17 December 2012 - 12:03 AM

Done - Thanks for the help!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 AM

Posted 17 December 2012 - 12:12 AM

We just have some housekeeping to do now,

Please do the following:


You can delete the TDSSKiller, JRT and the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:54 AM

Posted 26 December 2012 - 07:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users