Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer settings keep changing, I am advised to contact my administrator.


  • This topic is locked This topic is locked
61 replies to this topic

#1 thorosport

thorosport

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:13 AM

Posted 12 March 2013 - 05:42 PM

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7600.16385
Run by Harris at 18:28:47 on 2013-03-12
#Option MBR scan  is disabled.
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2998.2056 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{4BE3EA69-35AC-41A0-9C43-949C532B6FA4} : DHCPNameServer = 192.168.2.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\25.0.1364.172\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
.
=============== Created Last 30 ================
.
2013-03-12 21:21:59 -------- dc----w- c:\users\harris\appdata\local\MigWiz
2013-03-12 18:07:05 18944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2013-03-12 18:07:05 17920 ----a-w- c:\windows\system32\mdimon.dll
2013-03-12 18:06:50 -------- d-----w- c:\program files\Microsoft ActiveSync
2013-03-12 18:05:29 -------- d-----w- c:\windows\PCHEALTH
2013-03-12 17:59:43 60872 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9e28bcd2-2f92-4b1f-b251-4bec612e9568}\offreg.dll
2013-03-12 17:52:26 -------- d-----w- c:\windows\Panther
2013-03-12 17:49:30 6954968 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9e28bcd2-2f92-4b1f-b251-4bec612e9568}\mpengine.dll
2013-03-12 17:49:24 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-03-12 17:49:10 -------- d-sh--w- c:\windows\Installer
2013-03-12 17:48:56 -------- d-----w- c:\users\harris\appdata\local\Google
2013-03-12 17:48:51 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-12 17:48:51 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-12 17:36:29 -------- d-----w- c:\windows\system32\wbem\Performance
2013-03-12 17:35:42 2422272 ----a-w- c:\windows\system32\wucltux.dll
2013-03-12 17:35:25 33792 ----a-w- c:\windows\system32\wuapp.exe
2013-03-12 17:35:25 171904 ----a-w- c:\windows\system32\wuwebv.dll
2013-03-12 17:25:45 -------- d-----w- c:\program files\Sony
2013-03-12 17:25:32 -------- d-----w- c:\program files\XP Codec Pack
2013-03-12 17:25:04 -------- d-----w- c:\program files\The FTW Transcriber
2013-03-12 16:10:48 -------- d-----w- c:\users\harris\appdata\roaming\Uniblue
2013-03-12 16:10:48 -------- d-----w- c:\program files\Uniblue
2013-03-12 16:00:00 -------- d-----w- c:\users\harris\appdata\local\Apps
2013-03-12 14:42:43 -------- d-----w- c:\users\harris\appdata\roaming\Malwarebytes
2013-03-12 14:42:38 -------- d-----w- c:\programdata\Malwarebytes
2013-03-12 14:42:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-12 14:42:26 -------- d-----w- c:\users\harris\appdata\local\Programs
2013-03-12 14:09:37 -------- d-----w- c:\users\harris\appdata\local\ElevatedDiagnostics
2013-03-12 14:05:17 -------- d-----w- C:\Intel
.
==================== Find3M  ====================
.
.
============= FINISH: 18:28:57.77 ===============
 


As clarification to my original post, I am a free lancer, have no one else administering my computer, and have a real need for a secure work computer due to the confidential nature of my work.  I did the clean install thinking that would cure whatever it was that had crept in, but I find three different shares under computer management, ADMIN$, C$ and IPC$, and much to my dismay, after my clean install, on checking my C drive, it now shows that it too is shared.  this is totally unacceptable and I need to get my computer clean and back to baseline in order to continue working.  Thanking you in advance, I know all you guys and gals are great at what you do, so I wanted to make sure I was clear on my problems.  Will wait to hear from you.  As an aside, my computer now tells me I have no internet connection, ONLY when I refresh this website, other tabs that I have open at the same time refresh and show data as normal.  Thanks again!


Edited by hamluis, 12 March 2013 - 08:37 PM.
Merged posts, moved topic from Am I Infected to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:13 AM

Posted 15 March 2013 - 09:03 AM

Greetings thorosport and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Here is where I would like to start.

===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

aswMBR

--------------------
  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

aswMBR1.png

  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

aswMBR2.png

  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • aswMBR log
  • AdwCleaner log
  • Junkware log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 thorosport

thorosport
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:13 AM

Posted 15 March 2013 - 02:11 PM

Hi Gary!

Am I ever glad to be your friend.  Please call me Maureen.  Now onto the more pertinent news.  Tried downloading combofix from both sites, one at a time, and got the same error each time I tried, which is Location is not available, C:\ is not accessible.  Access is denied.  That box popped up after it appeared, and some time had lapsed, that the program was downloading. 

 

Thanks so much for your time and effort in this.  I know it is invaluable.  I will be patient, knowing I am in great hands, and wait for your next reply.  Maureen

 



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:13 AM

Posted 15 March 2013 - 02:41 PM

Nice to meet you Maureen.

When you downloaded DDS, did you do it the same way you are trying to download Combofix, meaning saving it directly to your desktop?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 thorosport

thorosport
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:13 AM

Posted 15 March 2013 - 02:48 PM

I did.   And I am sooo sorry I should have made mention of what has transpired since then.  I do work on line for a variety of companies and because my settings kept changing I had become unable to send work over the internet.  My computer (again, as today) would appear to be loading the files, and in a few minutes would return to the submit files page.  In other words, appears to be working normally and then pops up with the error code.  Last night, just in an effort to get my work through, I did another install of Windows 7 and it went through okay.

 

However, listening to my friend as I lamented about my problems, he attempted to walk me through changing the permissions through the MMC thingagig, so there may be another problem complicating things.  As your initial email said, impatience, frustration, all reigns supreme when our computers are out of whack!!



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:13 AM

Posted 15 March 2013 - 03:05 PM

Hi Maureen,

Thanks for the update. From this point forward, if it is necessary to download programs to a USB device and then transfer it to the desktop of the sick computer please do so.

Let's try this. There is a possibility some of the steps won't complete. If so, please just move on. What I am really interested in most is completion of the final step.

===================================================

Windows Repair (All in One)

--------------------
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Download Windows Repair (All in One) and save it to your desktop
  • Double click the icon and select Run
  • Continually click Next, then Finish
  • Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

p22001645.gif

  • Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

p22001646.gif

  • Go to Step 4 and under "System Restore" click on Create button:

p22001644.gif

  • Go to Start Repairs tab and click Start button.

p22001166.gif

  • Please ensure that ONLY the following items are checked (they're all checked by default):

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair Hosts File
Remove Policies Set By Infections
Repair Winsock & DNS Cache
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
Repair Volume Shadow Copy Service
Set Windows Services To Default Startup
Repair MSI (Windows Installer)

  • Click on box next to the Restart System when Finished. Then click on Start
  • Your computer will reboot upon completion
  • Copy and paste the contents of the following log in your reply:

C:\Tweaking.com_Windows_Repair_Logs\_Windows_Repair_Log.txt

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Windows Repair log
  • Any difference?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 thorosport

thorosport
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:13 AM

Posted 15 March 2013 - 03:16 PM

Hi Gary,

Again, as the file is downloading, looks perfect, gets to 99% completion and the same error box comes up that C:\ is not accessible, even though I have been very careful to save to the appropriate disk drive label, i.e., E:\ (removable media).  Used two different disks, neither one completed.  My computer will allow me to open the removable media and read what is on the stick prior to attempting the download, but fails every time at the download.

Thanks again!



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:13 AM

Posted 15 March 2013 - 03:23 PM

Do you have another computer you can use to download the file?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 thorosport

thorosport
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:13 AM

Posted 15 March 2013 - 03:43 PM

Got my son to copy the file onto the disk, still wouldn't work.  Computer still coming up with the "Windows cannot access the spec ified device, path, or file.  You may not have the appropriate permissions to access the item."  However, when I clicked on the changelog text file, it opened up just fine.  The error comes up only when I click on the Windows Repair\Repair_Windows.exe file. 

 

I was just reviewing some of the instructions when I realized that I have not been able to turn off the Windows Firewall.  When I go to the control panel, firewall, and click on the Turn Windows Firewall on or off area in the blue margin, left hand side, it cursor acts like it is processing for a second or two, stops, but nothing happens.  So still have the windows Firewall up, working on a public named network connection.



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:13 AM

Posted 15 March 2013 - 05:00 PM

Greetings Maureen,

Let's try another route. Please do this.

===================================================

Farbar's Recovery Scan Tool

--------------------

For this step you will need a USB flash drive and start on a clean computer.
  • Please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options in Windows 8:Option #2

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Option #3

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • FRST log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 thorosport

thorosport
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:13 AM

Posted 15 March 2013 - 05:33 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2013
Ran by SYSTEM at 15-03-2013 18:21:31
Running from H:\
Windows 7 Home Premium   (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

==================== Services (Whitelisted) ===================


==================== Drivers (Whitelisted) ====================


==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-03-15 14:02 - 2013-03-15 14:02 - 00000706 ____A C:\Users\home\Desktop\Tweaking.com - Windows Repair - Shortcut.lnk
2013-03-15 13:51 - 2013-03-15 09:56 - 00000000 ____D C:\Windows\Panther
2013-03-15 12:53 - 2013-03-15 12:53 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-03-15 12:52 - 2013-03-15 12:54 - 00001313 ____A C:\Windows\TSSysprep.log
2013-03-15 12:32 - 2013-03-15 12:32 - 00001002 ____A C:\Users\home\Desktop\Repair_Windows - Shortcut.lnk
2013-03-15 11:21 - 2013-03-15 11:21 - 00000712 ____A C:\Users\home\Desktop\essetup - Shortcut.lnk
2013-03-15 10:28 - 2013-03-15 10:28 - 00000000 ____D C:\Program Files\Intel
2013-03-15 10:25 - 2013-01-16 21:28 - 00232336 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-03-15 10:21 - 2012-02-14 21:44 - 00826368 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2013-03-15 10:21 - 2012-02-14 20:22 - 00177152 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2013-03-15 10:21 - 2012-02-14 20:22 - 00024064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2013-03-15 10:21 - 2010-01-08 22:52 - 00132608 ____A (Microsoft Corporation) C:\Windows\System32\cabview.dll
2013-03-15 10:18 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2013-03-15 10:18 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2013-03-15 10:18 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2013-03-15 10:18 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2013-03-15 10:18 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2013-03-15 10:18 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2013-03-15 10:18 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2013-03-15 10:18 - 2012-06-02 11:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2013-03-15 10:18 - 2012-06-02 11:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2013-03-15 10:00 - 2013-03-15 12:32 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-15 09:56 - 2013-03-15 14:18 - 00401249 ____A C:\Windows\WindowsUpdate.log
2013-03-15 09:56 - 2013-03-15 09:57 - 00000000 ____D C:\users\home
2013-03-15 09:56 - 2013-03-15 09:56 - 00000020 ___SH C:\Users\home\ntuser.ini
2013-03-15 09:56 - 2013-03-15 09:56 - 00000000 ____D C:\Users\home\AppData\Local\VirtualStore

==================== One Month Modified Files and Folders ========

2013-03-15 18:19 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-03-15 14:18 - 2013-03-15 09:56 - 00401249 ____A C:\Windows\WindowsUpdate.log
2013-03-15 14:18 - 2009-07-13 20:34 - 00009584 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-15 14:18 - 2009-07-13 20:34 - 00009584 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-15 14:02 - 2013-03-15 14:02 - 00000706 ____A C:\Users\home\Desktop\Tweaking.com - Windows Repair - Shortcut.lnk
2013-03-15 13:51 - 2009-07-13 20:57 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
2013-03-15 13:51 - 2009-07-13 20:52 - 00028672 ____A C:\Windows\System32\config\BCD-Template
2013-03-15 13:03 - 2009-07-13 18:37 - 00000000 __RHD C:\Users\Public\Libraries
2013-03-15 12:56 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-03-15 12:55 - 2009-07-13 20:33 - 00266808 ____A C:\Windows\System32\FNTCACHE.DAT
2013-03-15 12:54 - 2013-03-15 12:52 - 00001313 ____A C:\Windows\TSSysprep.log
2013-03-15 12:53 - 2013-03-15 12:53 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2013-03-15 12:52 - 2009-07-13 20:34 - 00001774 ____A C:\Windows\DtcInstall.log
2013-03-15 12:32 - 2013-03-15 12:32 - 00001002 ____A C:\Users\home\Desktop\Repair_Windows - Shortcut.lnk
2013-03-15 12:32 - 2013-03-15 10:00 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-15 12:12 - 2009-07-13 20:39 - 00017869 ____A C:\Windows\setupact.log
2013-03-15 11:24 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-15 11:21 - 2013-03-15 11:21 - 00000712 ____A C:\Users\home\Desktop\essetup - Shortcut.lnk
2013-03-15 10:28 - 2013-03-15 10:28 - 00000000 ____D C:\Program Files\Intel
2013-03-15 10:28 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-03-15 10:17 - 2009-07-13 20:52 - 00000000 ____D C:\Windows\System32\restore
2013-03-15 09:58 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-03-15 09:57 - 2013-03-15 09:56 - 00000000 ____D C:\users\home
2013-03-15 09:56 - 2013-03-15 13:51 - 00000000 ____D C:\Windows\Panther
2013-03-15 09:56 - 2013-03-15 09:56 - 00000020 ___SH C:\Users\home\ntuser.ini
2013-03-15 09:56 - 2013-03-15 09:56 - 00000000 ____D C:\Users\home\AppData\Local\VirtualStore
2013-03-15 09:56 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\Recovery


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 3893.86 MB
Available physical RAM: 3435.02 MB
Total Pagefile: 3892.14 MB
Available Pagefile: 3435.69 MB
Total Virtual: 2047.88 MB
Available Virtual: 1954.3 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:125.01 GB) (Free:117.4 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:340.75 GB) (Free:337.72 GB) NTFS
5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive h: () (Removable) (Total:1.9 GB) (Free:1.89 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          465 GB      0 B        
  Disk 1    No Media           0 B      0 B        
  Disk 2    Online         1952 MB      0 B        

Partitions of Disk 0:
===============

Disk ID: 0003EEFE

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            125 GB  1024 KB
  Partition 2    Primary            340 GB   125 GB

=========================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                       Partition    125 GB  Healthy           

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D                NTFS   Partition    340 GB  Healthy           

=========================================================

Partitions of Disk 2:
===============

Disk ID: 00000000

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1950 MB   122 KB

=========================================================

Disk: 2
Partition 1
Type  : 06
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     H                FAT    Removable   1950 MB  Healthy           

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 0003EEFE

Partition 1:
=========
Hex: 8020210007FEFFFF00080000AF6FA00F
Active: YES
Type: 07 (NTFS)
Size: 125 GB

Partition 2:
=========
Hex: 00FEFFFF07FEFFFF0078A00F00E0972A
Active: NO
Type: 07 (NTFS)
Size: 341 GB

==============================
Partitions of Disk 2:
===============
Disk ID: 00000000

Partition 1:
=========
Hex: 00033900063FFFDEF50000004BF73C00
Active: NO
Type: 06
Size: 2 GB


Last Boot: 2013-03-15 12:51

==================== End Of Log ============================

 

Thank goodness you guys never give up.   Here it is for what it's worth!!!



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:13 AM

Posted 15 March 2013 - 07:11 PM

Hi Maureen,

We are still locked out so let's do this.

===================================================

Taking Ownership of C:\ Drive

--------------------
  • Boot into Safe Mode from an Administrator account
  • Right click on Start then select Open Windows Explorer
  • Right click on Local Disk (C:) and select Properties
  • Click the Security tab then click Advanced
  • Click the Owner tab then select Change Permissions...
  • Left click on Administrators then select Edit
  • Under Full control check Allow then click OK
  • Click OK again then Yes to the warning screen
  • You will see a Setting Security information on: window
  • Click Continue on any error screens that pop up
  • Once completed, reboot your computer into Normal Mode and attempt to run Combofix again
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Were the permissions reset?
  • Combofix log (if available)

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 thorosport

thorosport
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:13 AM

Posted 15 March 2013 - 08:18 PM

All right, first question, yes.  Now on to the log:

ComboFix 13-03-15.01 - home 03/15/2013  21:08:02.1.4 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2998.2328 [GMT -4:00]
Running from: c:\users\home\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-16 to 2013-03-16  )))))))))))))))))))))))))))))))
.
.
2013-03-16 02:21 . 2013-03-16 02:21 -------- d-----w- C:\FRST
2013-03-16 01:10 . 2013-03-16 01:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-15 18:28 . 2013-03-15 18:28 -------- d-----w- c:\program files\Intel
2013-03-15 18:25 . 2013-02-19 07:58 6954968 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D4701AE1-B222-47C9-8E2A-F20380E4738F}\mpengine.dll
2013-03-15 18:25 . 2013-01-17 05:28 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-03-15 18:21 . 2012-02-15 05:44 826368 ----a-w- c:\windows\system32\rdpcore.dll
2013-03-15 18:21 . 2012-02-15 04:22 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2013-03-15 18:21 . 2012-02-15 04:22 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2013-03-15 18:21 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2013-03-15 18:18 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2013-03-15 18:18 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2013-03-15 18:18 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2013-03-15 18:18 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2013-03-15 18:18 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2013-03-15 18:18 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2013-03-15 18:18 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2013-03-15 18:18 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2013-03-15 18:18 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2013-03-15 18:00 . 2013-03-16 01:08 -------- d-----w- c:\windows\system32\wbem\Performance
2013-03-15 17:56 . 2013-03-15 17:57 -------- d-----w- c:\users\home
2013-03-15 17:56 . 2013-03-15 17:56 -------- d-----w- C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 177944]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
TCP: DhcpNameServer = 192.168.2.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-15  21:12:10
ComboFix-quarantined-files.txt  2013-03-16 01:12
.
Pre-Run: 122,500,300,800 bytes free
Post-Run: 122,424,655,872 bytes free
.
- - End Of File - - 3249AD9975F44551F68288FCCD5E19CD
 

Let me know where we go next.  Have I said thanks yet?  Thanks, your help is so appreciated!



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,972 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:13 AM

Posted 15 March 2013 - 08:48 PM

Have I said thanks yet?

:)

Now that we have access to the C:\ drive can you tell me if you are experiencing any abnormalities?

The first thing we need to do is get an antivirus program on your computer. Please do this.

===================================================

No Antivirus Program Installed

-------------------
  • Please download and install an antivirus program, and make sure that you keep it updated.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software. Two good antivirus programs free for non-commercial home use are avast! Free Antivirus and Avira AntiVir Personal - Free Antivirus.
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Were able to successfully install an antivirus program?
  • How is your computer behaving?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 thorosport

thorosport
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:13 AM

Posted 15 March 2013 - 09:16 PM

okay, got the Avast 20 day trial period, and it shows, after restart that a new network is detected,  HTC CABLE MODEL POOL.  Network name:  HTC CABLE MODEL POOL (Atheros AR9285 802.11b/g US).  And all of that is okay, I guess, except that my router is password protected, and Avast is asking me for the appropriate firewall method, so should I name it "public", since it didn't ask for a security password? 

 

Other than that, it seems to be working fine again.  My biggest concern is that as I work for each individual company, they don't leave some type of backdoor  open that could be accessed by either them or someone else for my next work assignment might be compromised.  After my last assignment, I had 3 different shares on my C drive, ADMIN$, IPC$ and C$






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users