Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google "connection interrupted" and in-browser popups. Unknown Malware/Virus.


  • This topic is locked This topic is locked
8 replies to this topic

#1 Moonlitday

Moonlitday

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 20 June 2013 - 03:07 PM

Hello all,

 

I've been having this issue on the store computer for quite awhile now. I do not know where my boss has been browsing but somewhere along the way he picked up this bug that I cannot nail down. It also appears that my hosts file is hidden, although I can bring it up via web browser and it shows no unusual enteries. As this is a work PC I am unsure of wether or not the hosts file was hidden to begin with.

 

Here is what it does:

 

- In Firefox it will allow me to get to Google but will error when making a search (connection interrupted error). Attached File  google error.jpg   180.23KB   0 downloads However Bing works fine. I can use Google in Internet Explorer, however it will on occasion redirect links that I click on.

-In both browsers it creates in-browser popup ads in either the lower right or lower left corners . I use adblock plus in Firefox and it does not allow me to manually block the popups. The ad content will vary. The left box usually looks like an adobe popup wanting flash installed, the right popup usually shows "find more information on <current website topic> here". Attached File  popup.jpg   156.26KB   0 downloads

 

Here is what I have done so far:

- Ran system restore - it did not remove the item.

- Ensured windows firewall is enabled.

- Ran Microsoft Security Essentials - it detected nothing

- Ran Malwarebytes - it detected nothing

- Ran Spybot Search and Destroy - It found a few tracking cookies in IE

 

Now when I first found this lovely, I ran Norton on the pc (I know, I know, but I was desperate as NOTHING worked), and what it removed also killed my SQL functionality which rendered my point-of-sale system useless. System restore reverted the changes and the bug seemingly disappeared until a blue screen crash this week which, I'm guessing, caused it to reinstall.

 

Any and all help greatly appreciated.

 

DDS Log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.17.2
Run by POS at 15:59:47 on 2013-06-20
#Option MBR scan  is disabled.
Microsoft Windows 7 Professional   6.1.7601.1.1252.2.1033.18.3062.1125 [GMT -3:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\Program Files\EPSON\EPuras\EPurasLog.exe
C:\Windows\system32\LMabcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
C:\MagicInfo-i\postgres\bin\pg_ctl.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\MagicInfo-i\postgres\bin\postgres.exe
C:\Windows\system32\conhost.exe
C:\MagicInfo-i\postgres\bin\postgres.exe
C:\MagicInfo-i\postgres\bin\postgres.exe
C:\MagicInfo-i\postgres\bin\postgres.exe
C:\MagicInfo-i\postgres\bin\postgres.exe
C:\MagicInfo-i\postgres\bin\postgres.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\VNCTunneling\svcreg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\EPSON\EPuras\EPuras.exe
C:\MagicInfo-i\tomcat\bin\tomcat6.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\conhost.exe
C:\Program Files\VNCTunneling\VNCTunneling.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdhost.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\MagicInfo-i\postgres\bin\postgres.exe
C:\MagicInfo-i\postgres\bin\postgres.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Lexmark\ErrorApp\LMab1err.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE
C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
C:\Apps\A2R\QWatcher.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Apps\A2R\Cashier.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uDefault_Page_URL = hxxp://lenovo.msn.com
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.0.318\McAfeeMSS_IE.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [LMab1err] c:\program files\lexmark\errorapp\LMab1err.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Ugxuleirgu] c:\users\pos\appdata\roaming\leigzi\yppia.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [PWRAGD] c:\progra~1\thinkpad\utilit~1\DPMHost.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [EpsonAPD4SV] c:\program files\epson\epson advanced printer driver 4\tools\eapsv\EAPSV.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Symantec Backup Exec System Recovery 2010] "c:\program files\symantec\backup exec system recovery\agent\VProTray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\queuew~1.lnk - c:\apps\a2r\QWatcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tm-t20~1.lnk - c:\program files\epson\tm-t20 software\tm20utl\TMRESTOREAPP.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tm-t88~1.lnk - c:\program files\epson\tm-t88v software\tm88vutl\TMRESTOREAPP.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{EC354FD0-CAA4-44E9-A6B8-5B62B0261BE6} : NameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\pos\appdata\roaming\mozilla\firefox\profiles\do8to023.default\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee security scan\3.0.318\npMcAfeeMSS.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 Backup Exec System Recovery;Backup Exec System Recovery;c:\program files\symantec\backup exec system recovery\agent\VProSvc.exe [2010-3-3 4591456]
R2 EPSON TM Parallel Port Driver;EPSON TM Parallel Port Driver;c:\windows\system32\drivers\tmlpt.sys [2010-3-26 18696]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 100328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-14 106656]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2010-2-12 57840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-14 21104]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-8-6 313856]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-18 39272]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-23 52224]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
.
=============== Created Last 30 ================
.
2013-06-20 18:54:47 -------- d-----w- c:\program files\Cobian Backup 10
2013-06-20 08:59:19 -------- d-----w- c:\users\pos\appdata\local\{3FF5C311-907B-4ACD-982D-DFE58923C7CF}
2013-06-20 04:17:34 7068072 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3f723c41-0d49-4648-83f0-d73ca236a909}\mpengine.dll
2013-06-19 09:11:52 -------- d-----w- c:\users\pos\appdata\local\{F6108DB9-7DC3-4015-926E-BBDCCB8788EA}
2013-06-18 09:17:20 -------- d-----w- c:\users\pos\appdata\local\{68F5D99F-94CB-4F1C-8A01-339FF2408765}
2013-06-18 04:21:51 7068072 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-06-17 10:10:17 -------- d-----w- c:\users\pos\appdata\local\{44C96F69-8DA8-45D6-B3D2-81DCF525B2E1}
2013-06-17 09:05:46 -------- d-----w- c:\users\pos\appdata\local\{CB460BCF-D8B5-4AB9-A81F-7099E424CF7B}
2013-06-15 17:13:17 -------- d-----w- c:\users\pos\appdata\local\{D3721DEE-BABB-444F-8BC6-3A5D839A3EC2}
2013-06-15 12:55:44 724464 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ec1e5b7f-2b0d-41e9-8b1d-c22d108d24e0}\gapaengine.dll
2013-06-14 22:56:51 -------- d-----w- c:\users\pos\appdata\local\{9263403F-554F-496F-87A9-8D3A452C68F5}
2013-06-14 10:11:31 -------- d-----w- c:\users\pos\appdata\local\{57067B81-BECB-4C82-AA55-E4A9E32F6C84}
2013-06-13 09:26:17 -------- d-----w- c:\users\pos\appdata\local\{EACCF35C-B6F8-48C1-9DB8-B1DEB872FE6B}
2013-06-12 09:29:11 -------- d-----w- c:\users\pos\appdata\local\{34EFD4D2-5280-456F-9748-4906E0596F04}
2013-06-11 19:57:03 9089416 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-06-11 09:23:01 -------- d-----w- c:\users\pos\appdata\local\{C50904E9-F558-4AE4-A87D-E69EC24C42C2}
2013-06-10 09:35:09 -------- d-----w- c:\users\pos\appdata\local\{CFE38BA7-E234-428D-8451-70BD28FB14E7}
2013-06-08 13:27:30 -------- d-----w- c:\users\pos\appdata\local\{FC97125C-8178-41DF-980E-9AE718344CD6}
2013-06-07 11:19:37 -------- d-----w- c:\users\pos\appdata\local\{E29C1051-DCE2-41ED-9549-BFDEBCF7DD35}
2013-06-06 12:20:26 -------- d-----w- c:\users\pos\appdata\local\{6883FD22-6F15-4064-A2E5-641B829656E9}
2013-06-06 10:08:43 -------- d-----w- c:\users\pos\appdata\local\{E326831A-CBFC-443C-9F98-9F695953AAAC}
2013-06-05 09:34:17 -------- d-----w- c:\users\pos\appdata\local\{F5DB5CFC-63EF-4FDD-961D-09B5F63ADB8E}
2013-06-04 09:25:33 -------- d-----w- c:\users\pos\appdata\local\{BE89832B-5A75-40AF-ADF7-249AC91FD748}
2013-06-03 10:13:57 -------- d-----w- c:\users\pos\appdata\local\{969A9262-CA3C-427B-8320-EAB198A49BDE}
2013-05-31 10:11:27 -------- d-----w- c:\users\pos\appdata\local\{6F9D201D-777E-4B82-8F14-2A6A25E25AF6}
2013-05-30 10:35:27 -------- d-----w- c:\users\pos\appdata\local\{C929FB0C-9916-4267-94A2-E1B59BD2EDC5}
2013-05-29 09:30:28 -------- d-----w- c:\users\pos\appdata\local\{2962B43C-9B2F-44B6-9A67-45A2A721FC48}
2013-05-28 09:35:21 -------- d-----w- c:\users\pos\appdata\local\{4849CFDE-FFA3-4E41-B688-999E3F175D8B}
2013-05-27 09:55:38 -------- d-----w- c:\users\pos\appdata\local\{6010FA60-83C3-4A3B-A197-3B82E649AE66}
2013-05-25 13:50:25 -------- d-----w- c:\users\pos\appdata\local\{CAFBC8BC-9DD8-42A1-878A-2A0AF36F3923}
2013-05-24 22:24:14 -------- d-----w- c:\users\pos\appdata\local\{449FBA34-8BB5-4CD6-BF72-74071C5A8E9F}
2013-05-24 21:57:41 -------- d-----w- c:\users\pos\appdata\local\{A6D6266C-AEE8-455D-9970-7A633D374A9B}
2013-05-24 09:09:41 -------- d-----w- c:\users\pos\appdata\local\{42FC834E-F4D7-4716-BF7F-74CD83ECB086}
2013-05-23 09:28:15 -------- d-----w- c:\users\pos\appdata\local\{0D65358A-D3DA-454B-900D-93538CFB3EEC}
2013-05-22 09:48:06 -------- d-----w- c:\users\pos\appdata\local\{17AD0372-841A-4240-81E2-886A1869D021}
.
==================== Find3M  ====================
.
2013-06-11 19:57:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-11 19:57:05 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-03-26 12:11:05 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-26 12:11:01 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-26 12:11:01 782240 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 16:02:56.02 ===============
 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:59 PM

Posted 24 June 2013 - 09:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • ===

    thisisujrt.gif Please download
    Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
  • ===

    Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    Link 1
    Link 2

    IMPORTANT !!! Save ComboFix.exe to your Desktop

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Do not install any other programs until this if fixed.


    How to : Disable Anti-virus and Firewall...
    http://www.bleepingcomputer.com/forums/topic114351.html

    Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
  • Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

    Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===

    Third party programs if not up to date can be the cause of infiltration an infection.

    Please run this security check for my review.

    Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  • ===

    Please paste the logs in your next reply DO NOT ATTACH THEM.
    Let me know what problem persists.


#3 Moonlitday

Moonlitday
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 25 June 2013 - 11:18 AM

Hi nasdaq, thanks for the post. I will be back to work Thursday evening. I shall run these and post an update that evening. There tends to be no one around Thursday nights so it's a great time for me to take the pc offline. 



#4 Moonlitday

Moonlitday
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 25 June 2013 - 02:14 PM

I was able to complete the first two steps listed, and after adwcleaner rebooted the pc, all appears good so far. I will try the junkware tool tomorrow.

 

Rougekiller Log

RogueKiller V8.6.1 [Jun 24 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : POS [Admin rights]
Mode : Remove -- Date : 06/25/2013 14:17:45
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Ugxuleirgu (C:\Users\POS\AppData\Roaming\Leigzi\yppia.exe [x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-2505442250-3188245110-3542808171-1003\[...]\Run : Ugxuleirgu (C:\Users\POS\AppData\Roaming\Leigzi\yppia.exe [x]) -> [0x2] The system cannot find the file specified.
[SERVICE][ROGUE ST] HKLM\[...]\CCSet\[...]\Services : 3189 (C:\Users\POS\AppData\Local\Temp\3189.sys [x]) -> DELETED
[SERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : 3189 (C:\Users\POS\AppData\Local\Temp\3189.sys [x]) -> [0x2] The system cannot find the file specified.
[SERVICE][ROGUE ST] HKLM\[...]\CS002\[...]\Services : 3189 (C:\Users\POS\AppData\Local\Temp\3189.sys [x]) -> DELETED
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][ROGUE ST] 4423 : wscript.exe - C:\Users\POS\AppData\Local\Temp\launchie.vbs //B -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[Tr.Karagany][Folder] plugs : C:\Users\POS\AppData\Roaming\Adobe\plugs [-] --> DELETED
[Tr.Karagany][Folder] shed : C:\Users\POS\AppData\Roaming\Adobe\shed [-] --> DELETED
[Faked][File] acpi.sys : C:\Windows\system32\drivers\acpi.sys [-] --> CANNOT FIX

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[13] : NtAlertResumeThread @ 0x82F26B8B -> HOOKED (Unknown @ 0x86D02398)
[Address] SSDT[14] : NtAlertThread @ 0x82E79BB0 -> HOOKED (Unknown @ 0x86D02458)
[Address] SSDT[19] : NtAllocateVirtualMemory @ 0x82E72BBC -> HOOKED (Unknown @ 0x86D00E78)
[Address] SSDT[59] : ExpInterlockedPopEntrySListResume @ 0x82EC0E80 -> HOOKED (Unknown @ 0x86F49760)
[Address] SSDT[74] : NtCreateMutant @ 0x82E5927A -> HOOKED (Unknown @ 0x86CF8F00)
[Address] SSDT[87] : NtCreateThread @ 0x82F24DC6 -> HOOKED (Unknown @ 0x86CFA460)
[Address] SSDT[131] : NtFreeVirtualMemory @ 0x82D017FC -> HOOKED (Unknown @ 0x86D010A8)
[Address] SSDT[145] : NtImpersonateAnonymousToken @ 0x82E3E8DE -> HOOKED (Unknown @ 0x86CF8FD0)
[Address] SSDT[147] : NtImpersonateThread @ 0x82EC2772 -> HOOKED (Unknown @ 0x86D022B8)
[Address] SSDT[168] : NtMapViewOfSection @ 0x82E8F4D9 -> HOOKED (Unknown @ 0x86D02AD0)
[Address] SSDT[177] : NtOpenEvent @ 0x82E58C76 -> HOOKED (Unknown @ 0x86CF8E20)
[Address] SSDT[191] : NtOpenProcessToken @ 0x82EAD17F -> HOOKED (Unknown @ 0x86D00F48)
[Address] SSDT[199] : NtOpenThreadToken @ 0x82EC145B -> HOOKED (Unknown @ 0x86D02870)
[Address] SSDT[304] : NtResumeThread @ 0x82EB94D2 -> HOOKED (Unknown @ 0x86D00738)
[Address] SSDT[316] : NtSetContextThread @ 0x82F26637 -> HOOKED (Unknown @ 0x86D027B0)
[Address] SSDT[333] : NtSetInformationProcess @ 0x82E8175D -> HOOKED (Unknown @ 0x86D02940)
[Address] SSDT[335] : NtSetInformationThread @ 0x82EB2C36 -> HOOKED (Unknown @ 0x86D026E0)
[Address] SSDT[366] : NtSuspendProcess @ 0x82F26AC7 -> HOOKED (Unknown @ 0x86CF8D40)
[Address] SSDT[367] : NtSuspendThread @ 0x82EDDFAB -> HOOKED (Unknown @ 0x86D02560)
[Address] SSDT[370] : NtTerminateProcess @ 0x82EA3B9D -> HOOKED (Unknown @ 0x86CFA540)
[Address] SSDT[371] : NtTerminateThread @ 0x82EC14AB -> HOOKED (Unknown @ 0x86D02620)
[Address] SSDT[385] : NtUnmapViewOfSection @ 0x82EAD7BA -> HOOKED (Unknown @ 0x86D02A10)
[Address] SSDT[399] : NtWriteVirtualMemory @ 0x82EA889A -> HOOKED (Unknown @ 0x86D01178)
[Inline] IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\system32\drivers\atapi.sys -> HOOKED ([Inline] \SystemRoot\system32\drivers\ataport.SYS @ 0x000000CC)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAJS-08L7A0 ATA Device +++++
--- User ---
[MBR] c374234667d7e346281b80466390af0c
[BSP] aa33a320b5d6765bda1aebc85a5a0b17 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2050048 | Size: 294243 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 604659712 | Size: 10000 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_06252013_141745.txt >>
RKreport[0]_S_06252013_135026.txt

AdwCleaner Log:

# AdwCleaner v2.303 - Logfile created 06/25/2013 at 16:03:44
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : POS - POS-THINK
# Boot Mode : Normal
# Running from : C:\Users\POS\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Users\POS\AppData\Local\Google\Chrome\User Data\Default\Extensions

\hchkdglnjoagfcnikmcebkjlfbcbkhnm
File Deleted : C:\END
File Deleted : C:\Users\POS\AppData\Roaming\Mozilla\Firefox\Profiles\do8to023.default

\searchplugins\Conduit.xml
File Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Visual Studio

2008\Microsoft Visual Studio 2008 Documentation.lnk
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\POS\AppData\Local\Conduit
Folder Deleted : C:\Users\POS\AppData\Local\Google\Chrome\User Data\Default\Extensions

\fjoijdanhaiflhibkljeklcghcmmfffh
Folder Deleted : C:\Users\POS\AppData\Local\Google\Chrome\User Data\Default\Extensions

\hchkdglnjoagfcnikmcebkjlfbcbkhnm
Folder Deleted : C:\Users\POS\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\POS\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\POS\AppData\Roaming\Mozilla\Firefox\Profiles\do8to023.default\jetpack

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Google\Chrome\Extensions\hchkdglnjoagfcnikmcebkjlfbcbkhnm
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3293216
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\hchkdglnjoagfcnikmcebkjlfbcbkhnm
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\Software\Tarma Installer

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Users\POS\AppData\Roaming\Mozilla\Firefox\Profiles\do8to023.default\prefs.js

C:\Users\POS\AppData\Roaming\Mozilla\Firefox\Profiles\do8to023.default\user.js ... Deleted !

Deleted : user_pref("CT3293216_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading

toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?

ctid=CT3293216&CUI=UN16262871[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3293216");
Deleted : user_pref("browser.search.defaultthis.engineName", "Vgrabber v1.5 Customized Web

Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?

ctid=CT3293216&CUI[...]
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?

ctid=CT3293216&SearchSource=2&CU[...]
Deleted : user_pref("smartbar.machineId",

"UCTSBG5PTZ04AKL0SIZ7POGTXVLEVY1OZZNPHT7C4ILPJFE0AXYH6E39BQFFALKUH5G[...]

-\\ Google Chrome v27.0.1453.116

File : C:\Users\POS\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4102 octets] - [25/06/2013 14:22:28]
AdwCleaner[S1].txt - [315 octets] - [25/06/2013 15:07:52]
AdwCleaner[S2].txt - [3992 octets] - [25/06/2013 16:03:44]

########## EOF - C:\AdwCleaner[S2].txt - [4052 octets] ##########
 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:59 PM

Posted 26 June 2013 - 07:04 AM


Lets check this message.
C:\Windows\system32\drivers\acpi.sys [-] --> CANNOT FIX
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    acpi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#6 Moonlitday

Moonlitday
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 26 June 2013 - 12:03 PM

System Look Log:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 13:57 on 26/06/2013 by POS
Administrator - Elevation successful

========== filefind ==========

Searching for "acpi.sys"
C:\Windows\snack\acpi.sys    --a---- 274304 bytes    [16:49 25/06/2013]    [12:29 20/11/2010] 3775DD4F44A0AD5E73EBBD83DD0A3187
C:\Windows\System32\drivers\acpi.sys    --a---- 274304 bytes    [03:40 23/06/2011]    [12:29 20/11/2010] CEA80C80BED809AA0DA6FEBC04733349
C:\Windows\System32\DriverStore\FileRepository\acpi.inf_x86_neutral_a1f4891fe0de4401\acpi.sys    --a---- 274304 bytes    [03:40 23/06/2011]    [12:29 20/11/2010] CEA80C80BED809AA0DA6FEBC04733349
C:\Windows\winsxs\x86_acpi.inf_31bf3856ad364e35_6.1.7600.16385_none_225f1a272f5b64b9\acpi.sys    --a---- 274496 bytes    [23:11 13/07/2009]    [01:26 14/07/2009] F0E07D144C8685B8774BC32FC8DA4DF0
C:\Windows\winsxs\x86_acpi.inf_31bf3856ad364e35_6.1.7601.17514_none_24902def2c49e853\acpi.sys    --a---- 274304 bytes    [03:40 23/06/2011]    [12:29 20/11/2010] CEA80C80BED809AA0DA6FEBC04733349

-= EOF =-



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:59 PM

Posted 26 June 2013 - 01:07 PM

Please run the Combofix tool and post a fresh log.

Will repair the acpi.sys file if required after the scan.

Let me know of any remaining issues.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:59 PM

Posted 02 July 2013 - 07:13 AM

Are you still with me?

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:59 PM

Posted 08 July 2013 - 07:14 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users