Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus infection on my Friend's Computer


  • This topic is locked This topic is locked
7 replies to this topic

#1 vulcansage

vulcansage

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 17 May 2013 - 11:12 PM

My friend has had computer problems. I went to his home and did a restore point and got his computer running. It worked while we were there, a mcafee scan revealed some "threats" we removed them, updated, all seemed well. I installed Malwarebytes, he registered it to run all the time and I went home. A week later he was down again. I got his computer and it would not start normally, it gave BSOD and rebooted. I ran diagnostics of the system all passed, I also did boot time disk checks, and all was fine. I got it to run in safe mode, but no mouse would work. I tabbed my way to mcafee and did a full scan, it found cookies and 36 trojans that it would not describe to me in the "report" After these scans I was able to start normally and the mouse now worked. I started to do a full mcafee scan again it is at 69% and so far clean. Malwarebytes full scan underway is also so far clean after 53 minutes of scanning. I believe there is still something lurking on this computer. Please help me clean it.

 

Thank you

Vulcansage :)

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 10.15.2
Run by User at 0:53:18 on 2013-05-18
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\MSC\McInfo.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee\mqs\qcshm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6081003
mStart Page = hxxp://broadband.zoomtown.com
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6081003
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{EC151672-1A21-4C13-AB45-025B121F6F12} : DHCPNameServer = 192.168.2.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs= c:\progra~1\google\google~1\GO36F4~1.DLL
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335
R? HipShieldK;McAfee Inc. HipShieldK
R? mfebopk;McAfee Inc. mfebopk
R? MpKsl02bf58af;MpKsl02bf58af
R? MpKsl1dc263ff;MpKsl1dc263ff
R? MpKsl23ea3432;MpKsl23ea3432
R? MpKsl2b956e9a;MpKsl2b956e9a
R? MpKsl2f72a23e;MpKsl2f72a23e
R? MpKsl3e0b18ea;MpKsl3e0b18ea
R? MpKsl3ece3080;MpKsl3ece3080
R? MpKsl4bc62244;MpKsl4bc62244
R? MpKsl533552ed;MpKsl533552ed
R? MpKsl57ad407c;MpKsl57ad407c
R? MpKsl63599a5a;MpKsl63599a5a
R? MpKsl909b5ead;MpKsl909b5ead
R? MpKsl96ad0d77;MpKsl96ad0d77
R? MpKsla30bb531;MpKsla30bb531
R? MpKslc46293d2;MpKslc46293d2
R? MpKslc93e6707;MpKslc93e6707
R? MpKslcdc43c6b;MpKslcdc43c6b
R? MpKslcfa20fe3;MpKslcfa20fe3
R? MpKsld98d437a;MpKsld98d437a
R? MpKslea6c6685;MpKslea6c6685
R? MpKslec0b3dc6;MpKslec0b3dc6
R? MpKslef502c7c;MpKslef502c7c
R? MpKslfbba1907;MpKslfbba1907
R? PCDSRVC{E9D79540-57D5953E-06020200}_0;PCDSRVC{E9D79540-57D5953E-06020200}_0 - PCDR Kernel Mode Service Helper Driver
R? RoxLiveShare10;LiveShare P2P Server 10
R? RoxMediaDB10;RoxMediaDB10
R? RoxWatch10;Roxio Hard Drive Watcher 10
R? TsUsbFlt;TsUsbFlt
R? TsUsbGD;Remote Desktop Generic USB Device
R? WatAdminSvc;Windows Activation Technologies Service
S? AMD External Events Utility;AMD External Events Utility
S? cfwids;McAfee Inc. cfwids
S? FETND62;D-Link PCI Fast Ethernet Adapter Driver
S? MBAMProtector;MBAMProtector
S? MBAMScheduler;MBAMScheduler
S? MBAMService;MBAMService
S? MBAMSwissArmy;MBAMSwissArmy
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? McMPFSvc;McAfee Personal Firewall Service
S? McNaiAnn;McAfee VirusScan Announcer
S? McProxy;McAfee Proxy Service
S? McShield;McAfee McShield
S? mfeavfk;McAfee Inc. mfeavfk
S? mfefire;McAfee Firewall Core Service
S? mfefirek;McAfee Inc. mfefirek
S? mfehidk;McAfee Inc. mfehidk
S? mferkdet;McAfee Inc. mferkdet
S? mfevtp;McAfee Validation Trust Protection Service
S? mfewfpk;McAfee Inc. mfewfpk
.
=============== Created Last 30 ================
.
2013-05-18 04:14:39    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2013-05-18 02:03:21    --------    d-sh--w-    C:\found.006
.
==================== Find3M  ====================
.
2013-02-23 02:22:49    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-02-23 02:22:48    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-02-23 02:22:48    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-02-23 01:37:57    71024    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-23 01:37:57    691568    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH:  0:56:24.79 ===============
 

 

 


Edited by vulcansage, 17 May 2013 - 11:18 PM.


BC AdBot (Login to Remove)

 


#2 vulcansage

vulcansage
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 17 May 2013 - 11:29 PM

Hi,

Your Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help said to

"Attach the Attach.txt file to the post"

But attach.txt itself said
 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

 

So I didn't attach it.



#3 vulcansage

vulcansage
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 18 May 2013 - 10:13 AM

I updated virus definitions and mcafee found 4 trojans but it says nothing about them.



#4 vulcansage

vulcansage
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 18 May 2013 - 01:46 PM

McAfee scans have been clean. As well as Malwarebytes,

 witnessed a Malwarebytes autoprotect event just now

 

2013/05/18 14:36:27 -0400 USER-PC User DETECTION C:\Users\User\AppData\Local\7za.exe Trojan.ExeShell.Gen QUARANTINE
2013/05/18 14:36:30 -0400 USER-PC User ERROR Quarantine failed:  SDKQuarantine failed with error code 2



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:19 AM

Posted 22 May 2013 - 10:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#6 vulcansage

vulcansage
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 22 May 2013 - 11:07 PM

Thank you.. I will do this soon and reply



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:19 AM

Posted 25 May 2013 - 08:22 AM

Are you still with me?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:19 AM

Posted 31 May 2013 - 09:25 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users