Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with zeroaccess rootkit - logs


  • This topic is locked This topic is locked
41 replies to this topic

#1 annaw2

annaw2

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 03 April 2013 - 06:25 AM

Recently logged a problem in this forum because suspected we had a virus. Problem logged is entitled: Get "This program is blocked by group policy" when try to run MS Security Essentials. 

 

The message also appears when we try to run Malwarebytes anti-malware. We have followed the instructions kindly posted to us in the above logged problem and have been directed to the Prep Guide and am providing logs to this topic as requested starting with DDS.

 

Should perhaps also mention that we think the CMOS battery needs replacing but we haven't yet done this.



BC AdBot (Login to Remove)

 


#2 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 03 April 2013 - 06:58 AM

DDS log

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16470
Run by Administrator at 1:14:26 on 2013-04-03
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2047.849 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Virgin Media\Service Manager\ServiceManager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATICAE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\MyTomTom 3\MyTomTomSA.exe
C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
C:\program files\logitech\quickcam\lu\LogitechUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\system32\ntvdm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.virginmedia.com/
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - <orphaned>
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: <No Name>:  - LocalServer32 - <no file>
TB: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\windows\temp\E_SDE3A.tmp" /EF "HKCU"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [MyTomTomSA.exe] "c:\program files\mytomtom 3\MyTomTomSA.exe"
uRun: [HP Photosmart 7510 series (NET)] "c:\program files\hp\hp photosmart 7510 series\bin\ScanToPCActivationApp.exe" -deviceID "CN24A3408W05PX:NW" -scfn "HP Photosmart 7510 series (NET)" -AutoStart 1
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [ServiceManager.exe] "c:\program files\virgin media\service manager\ServiceManager.exe" /AUTORUN
mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exe
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://178.78.117.91/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{08D2973E-C1F5-4FD3-BC0F-4B4B902CCF56} : DHCPNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{7BB901B2-077E-4BF4-A825-212A903AE3AB} : DHCPNameServer = 194.168.4.100 194.168.8.100
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\windows mail\WinMail.exe" OCInstallUserConfigOE
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-11 218592]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-3-17 102008]
R1 MpKsl6d4b296a;MpKsl6d4b296a;c:\programdata\microsoft\microsoft antimalware\definition updates\{e30d68fc-4c30-42f7-a98b-18b122139de9}\MpKsl6d4b296a.sys [2013-4-3 29904]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-26 390528]
R1 RapportCerberus_51755;RapportCerberus_51755;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_51755.sys [2013-3-29 317112]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-3-17 102680]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-3-17 173880]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-11-11 112592]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-1 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 100328]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-3-17 1124184]
R2 ServicepointService;ServicepointService;c:\program files\virgin media\service manager\ServicepointService.exe [2011-12-28 689464]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-10-2 382824]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
R3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-3-8 255488]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2012-3-11 55448]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 rt70x86;Belkin Wireless G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr70.sys [2007-10-9 291840]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-11-11 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-11-11 1142224]
.
=============== File Associations ===============
.
FileExt: .inf: Applications\OpenOffice.org 2.3="c:\program files\openoffice.org 2.3\program\soffice.exe" -writer -o "%1" [UserChoice] [default=edit - 'Open' doesn't exist]
.
=============== Created Last 30 ================
.
2013-04-02 23:35:13 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e30d68fc-4c30-42f7-a98b-18b122139de9}\MpKsl6d4b296a.sys
2013-04-02 23:14:18 7108640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e30d68fc-4c30-42f7-a98b-18b122139de9}\mpengine.dll
2013-04-01 00:12:00 7108640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-03-21 19:40:28 740840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1a696003-d13f-47e2-9d74-87154aa30544}\gapaengine.dll
2013-03-17 14:46:34 102008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2013-03-13 22:17:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
==================== Find3M  ====================
.
2013-04-02 10:33:22 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-13 18:07:39 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 18:07:39 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-27 21:50:02 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-02-27 21:50:01 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 01:57:27 15872 ----a-w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 01:57:27 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-02 03:38:35 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-02 03:30:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-02 03:30:21 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-02 03:26:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-02 03:26:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-01-20 15:59:04 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 15:59:04 100328 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-05 05:26:01 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:26:01 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-04 11:28:19 914792 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-04 01:55:18 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2013-01-04 01:38:50 2048512 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH:  1:14:41.09 ===============
 



#3 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 03 April 2013 - 07:04 AM

Attached File  attach.txt   10.8KB   3 downloads



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:22 AM

Posted 04 April 2013 - 07:02 AM

Hi and Welcome!!
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to this topic so that you can see when there are new responses.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that.... vegeta_zps7f4345cf.gifLet's get going!!
----------

aswmbr-1-1.jpg
Please download aswMBR to your desktop.
  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.
aswmbrscan.jpg
Click the image to enlarge it

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 04 April 2013 - 07:59 AM

Hi Jeff,

 

Thank you for your reply. We haven't backed up the machine in a while. Should I do that before continuing?

 

Many thanks

 

Anna



#6 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 04 April 2013 - 08:00 AM

Attached File  aswMBR.txt   2KB   2 downloads



#7 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 04 April 2013 - 08:00 AM

Attached File  aswMBR.txt   2KB   2 downloads



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:22 AM

Posted 04 April 2013 - 09:48 AM

Hi,

 

It never hurts to back up your personal files, music, photos and videos in case something "goes South".  If you would like to do so, feel free and then do the following:

 

 

ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
 
 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.  


  • Please post the C:\ComboFix.txt for further review.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 04 April 2013 - 02:54 PM

Hi,

 

Couldn't backup to an external hard drive I have as our usb2 doesn't seem to be working either.

 

I have saved combofix to the desktop but when I try to disable ms security essentials and malwarebytes anti-malware I get "This program is blocked by group policy".

 

Anna



#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:22 AM

Posted 04 April 2013 - 04:40 PM

Don't worry about those....go ahead and run ComboFix passed the warnings that might pop up.  Post the log when you get it.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 05 April 2013 - 07:13 AM

Hi,

 

I have run ComboFix and it started ok, "Scanning for infected files..." but has now stalled for at least half an hour after,

 

"Completed stage_1

Completed stage_2

Completed stage_3

Completed stage_4"



#12 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 05 April 2013 - 07:35 AM

It is still running,

 

"Completed stage_7..."



#13 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 05 April 2013 - 08:41 AM

Attached File  Combofix log.txt   20.25KB   3 downloadsCombofix log attached



#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:22 AM

Posted 05 April 2013 - 10:48 AM

Hi,

 

Looks pretty good in regards to malware....let's look for anything hiding.

 

 

mbam-3.jpgMalwarebytes
 
Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------
 

ESET Online Scanner
 
Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.
----------

 


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 annaw2

annaw2
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 06 April 2013 - 01:01 PM

Hi,

 

When I double click on the malwarebytes logo you sent me it doesn't open but instead opens up a small box with the logo at the top and at the bottom mbam-3.jpg. Also has save option but when I click on this I am unable to save it anywhere, it instead opens up a new tab in my browser called photobucket.com.

 

Anna






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users