Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Care Antivirus partially removed after running malwarebytes


  • This topic is locked This topic is locked
4 replies to this topic

#1 vbsi

vbsi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 16 May 2013 - 05:58 PM

Hello -

 

I followed the manual for downloading and running malwarebytes to remove the System Care Antivirus. The affected computer is now mostly clean and mostly operational.  However, System Care antivirus shortcut remains on the desktop, a folder entitled System Care Antivirus appears in the list of all programs in windows explorer but does not appear anywhere in program files.  The search function in Windows Explorer has been disabled (search bar window will not accept keystrokes), and Windows Defender cannot be invoked.

 

I'm enclosing two logs.  The DDS log (although this was run after cleanup) and the Malwarebytes log.  Also attaching the attach.txt file. also I am posting from another laptop, not the infected computer

 

DDS Log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.17.2
Run by Joan Dell at 15:36:54 on 2013-05-16
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.16366.11315 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mstart.exe
C:\Users\Joan Dell\AppData\Local\Akamai\netsession_win.exe
C:\Windows\System32\StikyNot.exe
C:\Users\Joan Dell\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Cyberlink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Users\Joan Dell\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mlauncher.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\Adobe\Shockwave 12\SwHelper_1200112.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\splwow64.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joan Dell\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe,
BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\880\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [Akamai NetSession Interface] "C:\Users\Joan Dell\AppData\Local\Akamai\netsession_win.exe"
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Google Update] "C:\Users\Joan Dell\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [AdobeBridge] <no file>
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
StartupFolder: C:\Users\JOANDE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{33784C10-B473-4AF3-BAB3-6728ED0AAFD1} : DHCPNameServer = 75.75.75.75 75.75.76.76
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RunDLLEntry_THXCfg] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [RunDLLEntry_EptMon] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\EptMon64.dll,RunDLLEntry EptMon64
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Joan Dell\AppData\Roaming\Mozilla\Firefox\Profiles\aivfhdt8.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017300.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Joan Dell\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Users\Joan Dell\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-7-18 55856]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-7-18 13336]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-7-18 1692480]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-7-18 317440]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-7-18 406056]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/07/18 23:43:41;C:\Program Files (x86)\Cyberlink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-26 236016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-8-21 1038088]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-7-18 158976]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-3-8 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5.5\dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5.5\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-05-16 20:29:52    --------    d-----w-    C:\Users\Joan Dell\AppData\Roaming\Malwarebytes
2013-05-16 20:29:38    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-05-16 20:29:37    25928    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2013-05-16 20:29:37    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-16 20:28:53    --------    d-----w-    C:\Users\Joan Dell\AppData\Local\Programs
2013-05-16 19:46:15    9460464    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{538A5B0F-A8F6-4BD3-BB5A-A44A3A4A1D6E}\mpengine.dll
2013-05-16 18:46:34    --------    d-----w-    C:\ProgramData\22618D9C1F77FAE8000022616B420236
2013-05-15 10:02:14    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-05-15 10:02:14    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-05-15 01:42:49    983400    ----a-w-    C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-25 16:25:16    --------    d-----w-    C:\Users\Joan Dell\AppData\Local\Macromedia
2013-04-24 09:10:49    1656680    ----a-w-    C:\Windows\System32\drivers\ntfs.sys
.
==================== Find3M  ====================
.
2013-05-02 09:06:08    278800    ------w-    C:\Windows\System32\MpSigStub.exe
2013-04-25 16:24:21    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-25 16:24:21    691592    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-04-13 05:49:23    135168    ----a-w-    C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19    350208    ----a-w-    C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19    308736    ----a-w-    C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19    111104    ----a-w-    C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16    474624    ----a-w-    C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15    2176512    ----a-w-    C:\Windows\apppatch\AcGenral.dll
2013-04-10 06:01:54    265064    ----a-w-    C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 03:30:50    3153920    ----a-w-    C:\Windows\System32\win32k.sys
2013-04-05 01:08:44    2312704    ----a-w-    C:\Windows\System32\jscript9.dll
2013-04-05 01:00:30    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2013-04-05 00:59:24    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-04-05 00:56:16    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-04-05 00:55:47    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2013-04-04 22:11:34    1800704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-04-04 22:02:59    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-04-04 22:02:17    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-04-04 21:58:51    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-04-04 21:57:45    420864    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-03-25 20:39:46    4546560    ----a-w-    C:\Windows\SysWow64\GPhotos.scr
2013-03-19 06:04:06    5550424    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58    48640    ----a-w-    C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58    230400    ----a-w-    C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56    43520    ----a-w-    C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13    3968856    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10    3913560    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50    6656    ----a-w-    C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33    112640    ----a-w-    C:\Windows\System32\smss.exe
2013-03-08 16:30:36    95648    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-08 16:30:31    861088    ----a-w-    C:\Windows\SysWow64\npDeployJava1.dll
2013-03-08 16:30:31    782240    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
2013-02-27 06:02:44    111448    ----a-w-    C:\Windows\System32\consent.exe
2013-02-27 05:48:00    1930752    ----a-w-    C:\Windows\System32\authui.dll
2013-02-27 05:47:10    70144    ----a-w-    C:\Windows\System32\appinfo.dll
2013-02-27 04:49:24    1796096    ----a-w-    C:\Windows\SysWow64\authui.dll
.
============= FINISH: 15:37:19.26 ===============

 

Malwarebytes log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.16.09

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Joan Dell :: JOANDELL-PC [administrator]

5/16/2013 1:31:24 PM
mbam-log-2013-05-16 (13-31-24).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 597941
Time elapsed: 1 hour(s), 4 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|22618D9C1F77FAE8000022616B420236 (Malware.Packer.HGX1) -> Data: C:\ProgramData\22618D9C1F77FAE8000022616B420236\22618D9C1F77FAE8000022616B420236.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\ProgramData\22618D9C1F77FAE8000022616B420236\22618D9C1F77FAE8000022616B420236.exe (Malware.Packer.HGX1) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-968529367-534708958-3583412618-1000\$687421d1783097968480ae01cd4f259a\n (Trojan.0Access) -> Delete on reboot.
C:\$Recycle.Bin\S-1-5-21-968529367-534708958-3583412618-1000\$687421d1783097968480ae01cd4f259a\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-968529367-534708958-3583412618-1000\$687421d1783097968480ae01cd4f259a\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-968529367-534708958-3583412618-1000\$687421d1783097968480ae01cd4f259a\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Users\Joan Dell\AppData\Local\Temp\793.tmp (Trojan.Agent.RRE) -> Quarantined and deleted successfully.
C:\Users\Joan Dell\AppData\Local\Temp\F26D.tmp (Malware.Packer.HGX1) -> Quarantined and deleted successfully.
C:\Users\Joan Dell\AppData\Local\Temp\msimg32.dll (Trojan.Agent.RRE) -> Quarantined and deleted successfully.
C:\Users\Joan Dell\AppData\Local\Temp\BlekkoIC\BlekkoIC.exe (Adware.Downware) -> Quarantined and deleted successfully.

(end)

 

Attached File  attach.txt   14KB   2 downloads

 

 

 

 



BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:10 PM

Posted 20 May 2013 - 09:01 PM

Hello vbsi, my name is oneof4 and I am here to help you. :)

 

Please allow me some time to look over and research your logs, and I will return with your first set of instructions.


Best Regards,
oneof4.


#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:10 PM

Posted 21 May 2013 - 09:21 PM

Hello vbsi, :)

 

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Because of this trojan's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you choose the attempted cleaning, please follow the next set of instructions.

 

==========

 

We need to run a scan with Combofix:
 
 
  • Click the Download Now button pictured below and save the file to your desktop:
 
download.png
 
  • Disable any anti-virus and/or firewall software you have installed.
instructions can be found here if needed
 
  • Close all open windows including your web browser
as mentioned in the first post, you may want to print out all instructions before starting
 
  • Double-click on the ComboFix icon on your desktop. cf-icon.jpg
 
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:
 
cf-preparing.jpg
 
  • DO NOT use your computer while ComboFix is running.  There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.
 
However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.
 
recovery-console-prompt.jpg
 
If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
 
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
 
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.
 
cf-log.jpg
 
More information about downloading and using ComboFix can be found here if needed.

 


Best Regards,
oneof4.


#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:10 PM

Posted 25 May 2013 - 09:18 PM

Do you still need help?


Best Regards,
oneof4.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,309 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:10 AM

Posted 28 May 2013 - 02:00 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users