Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unable to remove boot.pihar.c with tdsskiller


  • This topic is locked This topic is locked
11 replies to this topic

#1 palmtreegreen

palmtreegreen

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 July 2013 - 01:38 AM

Hello.  I am well aware I am not the first one having this problem.  Unfortunately though I've done everything I can and have read about every message board I could find about this but nothing seems to be working for me.  The strange part is that I just reformatted my computer today and it is already infected with this boot.pihar.c.  I have tried removing it with tdsskiller but after I click cure and then "fix" my mbr since that breaks my boot partition it is still there when I log in.  

 

Any help at all is much appreciated.  Here is my DDS log:

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 7.0.6001.18000
Run by thompsonite at 0:29:24 on 2013-07-29
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.3070.1958 [GMT -6:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\20.4.0.40\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\20.4.0.40\ips\IPSBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.4.0.40\CoIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{212D214F-9B6B-4719-A97B-92B1A17BBEB1} : DHCPNameServer = 192.168.1.1
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.72\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 awxbfjnz;Vba32 Armour Driver;c:\windows\system32\drivers\awxbfjnz.sys [2013-7-28 35904]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1404000.028\SymDS.sys [2013-7-28 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1404000.028\SymEFA.sys [2013-7-28 934488]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\bashdefs\20130715.001\BHDrvx86.sys [2013-7-28 1002072]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1404000.028\ccSetx86.sys [2013-7-28 134744]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.4.0.40\definitions\ipsdefs\20130726.001\IDSvix86.sys [2013-7-26 386720]
R1 SCT_SKMScan;SCT_SKMScan;c:\windows\system32\drivers\sct_skmscan.sys [2012-10-12 33096]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1404000.028\Ironx86.sys [2013-7-28 175264]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1404000.028\symtdiv.sys [2013-7-28 352344]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\20.4.0.40\ccSvcHst.exe [2013-7-28 144368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-7-28 106656]
RUnknown aswFsBlk;aswFsBlk; [x]
RUnknown aswMonFlt;aswMonFlt; [x]
RUnknown aswRvrt;aswRvrt; [x]
RUnknown aswSnx;aswSnx; [x]
RUnknown aswSP;aswSP; [x]
RUnknown aswVmm;aswVmm; [x]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 SophosVirusRemovalTool;Sophos Virus Removal Tool;c:\program files\sophos\sophos virus removal tool\SVRTservice.exe [2013-6-14 153080]
.
=============== File Associations ===============
.
FileExt: .js: Applications\notepad.exe=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-07-29 07:44:58 -------- d-----w- C:\FRST
2013-07-29 04:29:21 -------- d-----w- c:\program files\AVAST Software
2013-07-29 04:29:06 -------- d-----w- c:\programdata\AVAST Software
2013-07-29 03:59:38 9069344 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-07-29 03:59:38 893728 ----a-w- c:\windows\system32\nvdispgenco3232049.dll
2013-07-29 03:59:38 7687592 ----a-w- c:\windows\system32\nvcuda.dll
2013-07-29 03:59:38 6324360 ----a-w- c:\windows\system32\nvopencl.dll
2013-07-29 03:59:38 2777888 ----a-w- c:\windows\system32\nvcuvid.dll
2013-07-29 03:59:38 21102368 ----a-w- c:\windows\system32\nvoglv32.dll
2013-07-29 03:59:38 2002720 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-07-29 03:59:38 13411896 ----a-w- c:\windows\system32\nvwgf2um.dll
2013-07-29 03:59:38 1024288 ----a-w- c:\windows\system32\nvdispco3232049.dll
2013-07-29 03:59:37 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
2013-07-29 03:53:28 -------- d-----w- c:\users\thompsonite\Pavark
2013-07-29 03:49:14 35904 ----a-w- c:\windows\system32\drivers\awxbfjnz.sys
2013-07-29 03:33:48 -------- d-----w- c:\program files\AMD
2013-07-29 03:31:58 -------- d-----w- c:\programdata\Sophos
2013-07-29 03:31:42 73728 ----a-r- c:\users\thompsonite\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-07-29 03:31:42 73728 ----a-r- c:\users\thompsonite\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-07-29 03:31:42 73728 ----a-r- c:\users\thompsonite\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2013-07-29 03:31:31 -------- d-----w- c:\program files\Sophos
2013-07-29 03:05:16 -------- d-----w- c:\users\thompsonite\appdata\roaming\NVIDIA
2013-07-29 03:01:22 34304 ----a-w- c:\windows\system32\drivers\AmdLLD.sys
2013-07-29 03:01:16 -------- d-----w- c:\users\thompsonite\appdata\roaming\Anvisoft
2013-07-29 03:00:55 -------- d-----w- c:\programdata\Anvisoft
2013-07-29 03:00:51 -------- d-----w- c:\program files\Anvisoft
2013-07-29 03:00:40 -------- d-----w- c:\users\thompsonite\appdata\local\Downloaded Installations
2013-07-29 03:00:10 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2013-07-29 03:00:10 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2013-07-29 03:00:00 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2013-07-29 02:53:49 -------- d-sh--w- C:\$RECYCLE.BIN
2013-07-29 02:53:45 -------- d-----w- c:\users\thompsonite\appdata\local\temp
2013-07-29 02:30:05 97800 ----a-w- c:\windows\system32\infocardapi.dll
2013-07-29 02:30:04 622080 ----a-w- c:\windows\system32\icardagt.exe
2013-07-29 02:30:04 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2013-07-29 02:30:04 11264 ----a-w- c:\windows\system32\icardres.dll
2013-07-29 02:30:04 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-07-29 02:30:02 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2013-07-29 02:22:35 256000 ----a-w- c:\windows\PEV.exe
2013-07-29 02:22:35 208896 ----a-w- c:\windows\MBR.exe
2013-07-29 02:02:37 158720 ----a-w- c:\windows\system32\mscorier.dll
2013-07-29 02:02:33 83968 ----a-w- c:\windows\system32\mscories.dll
2013-07-29 01:53:23 -------- d-----w- c:\windows\system32\xlive
2013-07-29 01:53:09 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2013-07-29 01:46:18 -------- d-----w- c:\users\thompsonite\appdata\roaming\MAXON
2013-07-29 01:45:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2013-07-29 01:45:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2013-07-29 01:45:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2013-07-29 01:45:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2013-07-29 01:45:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2013-07-29 01:38:01 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2013-07-29 01:38:01 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2013-07-29 01:38:01 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2013-07-29 01:38:00 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2013-07-29 01:38:00 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2013-07-29 01:38:00 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2013-07-29 01:34:56 -------- d-----w- c:\windows\system32\directx
2013-07-28 22:02:41 -------- d-----w- c:\users\thompsonite\appdata\roaming\Malwarebytes
2013-07-28 22:02:34 -------- d-----w- c:\programdata\Malwarebytes
2013-07-28 20:27:54 -------- d-----w- C:\TDSSKiller_Quarantine
2013-07-28 19:50:30 -------- d-----w- c:\programdata\SMR322
2013-07-28 19:50:08 -------- d-----w- c:\users\thompsonite\appdata\local\NPE
2013-07-28 19:43:02 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-28 19:43:02 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-28 19:42:28 -------- d-----w- c:\users\thompsonite\appdata\local\Adobe
2013-07-28 19:35:57 -------- d-----w- c:\users\thompsonite\appdata\local\CrashDumps
2013-07-28 19:33:23 -------- d-----w- c:\program files\common files\Steam
2013-07-28 19:30:01 -------- d-----w- c:\users\thompsonite\appdata\local\Google
2013-07-28 19:29:54 -------- d-----w- c:\users\thompsonite\appdata\local\Deployment
2013-07-28 19:29:54 -------- d-----w- c:\users\thompsonite\appdata\local\Apps
2013-07-28 19:23:18 142496 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2013-07-28 19:23:18 -------- d-----w- c:\program files\common files\Symantec Shared
2013-07-28 18:47:19 47560 ----a-w- c:\windows\system32\SPReview.exe
2013-07-28 18:47:19 152576 ----a-w- c:\windows\system32\SPWizUI.dll
2013-07-28 18:44:42 -------- d-----w- c:\windows\Panther
2013-07-28 18:44:01 -------- d-----w- c:\windows\system32\OEM
2013-07-28 18:37:13 40960 ----a-w- c:\program files\common files\microsoft shared\ink\fr\Microsoft.Ink.Resources.dll
2013-07-28 18:37:13 40960 ----a-w- c:\program files\common files\microsoft shared\ink\es\Microsoft.Ink.Resources.dll
2013-07-28 18:37:05 6656 ----a-w- c:\windows\system32\sdspres.dll
2013-07-28 18:37:05 193024 ----a-w- c:\windows\system32\recdisc.exe
2013-07-28 18:35:59 96768 ----a-w- c:\windows\system32\dfrgfat.exe
2013-07-28 18:33:29 6656 ----a-w- c:\windows\system32\kbd106n.dll
2013-07-28 18:32:04 44032 ----a-w- c:\windows\system32\cbsra.exe
2013-07-28 18:05:08 -------- d-----w- C:\Windows.old.003
2013-07-28 18:04:11 -------- d-----w- c:\programdata\Norton
2013-07-28 18:03:50 -------- d-----w- c:\programdata\NortonInstaller
2013-07-28 17:51:12 -------- d-sh--w- c:\windows\Installer
2013-07-28 17:50:22 640288 ----a-w- c:\windows\system32\nvvsvc.exe
2013-07-28 17:50:22 62752 ----a-w- c:\windows\system32\nvshext.dll
2013-07-28 17:50:21 4192544 ----a-w- c:\windows\system32\nvcpl.dll
2013-07-28 17:50:21 3045664 ----a-w- c:\windows\system32\nvsvc.dll
2013-07-28 17:50:21 223008 ----a-w- c:\windows\system32\nvmctray.dll
2013-07-28 17:50:08 -------- d-----w- c:\programdata\NVIDIA Corporation
2013-07-28 17:49:31 899688 ----a-w- c:\windows\system32\nvdispco3220150.dll
2013-07-28 17:49:30 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2013-07-28 17:49:10 57960 ----a-w- c:\windows\system32\OpenCL.dll
2013-07-28 17:49:07 12427240 ----a-w- c:\windows\system32\nvd3dum.dll
2013-07-28 17:49:06 2597856 ----a-w- c:\windows\system32\nvapi.dll
2013-07-28 17:48:50 -------- d-----w- c:\program files\NVIDIA Corporation
2013-07-18 23:05:39 -------- d-----w- C:\LOOXIS
.
==================== Find3M  ====================
.
2013-07-28 18:56:01 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2013-07-28 18:55:51 82432 ----a-w- c:\windows\system32\axaltocm.dll
2013-05-23 05:25:28 934488 ----a-r- c:\windows\system32\drivers\nis\1404000.028\SymEFA.sys
2013-05-21 05:02:00 367704 ----a-r- c:\windows\system32\drivers\nis\1404000.028\SymDS.sys
2013-05-16 05:02:14 603224 ----a-r- c:\windows\system32\drivers\nis\1404000.028\srtsp.sys
.
============= FINISH:  0:29:41.95 ===============

Attached Files


Edited by palmtreegreen, 29 July 2013 - 01:40 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 29 July 2013 - 01:52 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 palmtreegreen

palmtreegreen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 July 2013 - 02:07 AM

Great.  Thank you for the fast response.  I read it is supposed to take maybe 3 days for a reply but that was more like three minutes!!!  I have downloaded the anti-rootkit and it is running and it says it has found malware.  I have a log file in the folder but it does not have the date and time it just says system-log so I will attach that one.  Let me know if it is the wrong one.

Attached Files


Edited by palmtreegreen, 29 July 2013 - 02:08 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 29 July 2013 - 03:59 AM

Fix with Malwarebytes Anti-Rootkit

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 palmtreegreen

palmtreegreen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 July 2013 - 04:14 AM

wow awesome.  I think that actually did it.  I am scanning right now again with MBR.  I clicked on cleanup and rebooted and just to see I ran tdss again just to see if it could find it again but for the first time it finished the scan with 0 infections.  Looking good so far.  I will be sure to donate once we know for sure that it is gone but I'm pretty sure that malwarebytes did the trick.  Out of all the other rootkit scanners this is the only one that seemed to solve the problem I appreciate the help very much.  I will post the log once the second scan is finished.



#6 palmtreegreen

palmtreegreen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 July 2013 - 04:43 AM

ohhh my goooooooooooshhhh.  I was pretty psyched when that other program couldn't find it anymore but about 5 minutes later Norton popped up with the warning again.  Somehow it is still there.  malwarebytes still running, not sure when that's going to be done.  

 

***Edit.  I will get back to you tomorrow (later today) with the new log file.  For some reason it is taking a lot longer this time. Thank you for the help so far.


Edited by palmtreegreen, 29 July 2013 - 05:06 AM.


#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 29 July 2013 - 06:37 AM

Restart your computer and run MBAR again. Post up the log.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 palmtreegreen

palmtreegreen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 July 2013 - 08:43 PM

Alright great.  Well I guess Norton was playing tricks on me.  Haven't had another pop up warning since the last time and MBR finished and says that there is no more malware.  Thanks a lot.  I think it is actually gone for good now.  You rock thanks.  I will donate now that I know for sure that someone is not secretely recording my credit card information.  

 

Probably about the most frustrating malware I've ever had to deal with right there.  This site is a lifesaver.

Attached Files


Edited by palmtreegreen, 29 July 2013 - 08:44 PM.


#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 30 July 2013 - 04:24 AM

We´re not finished yet!

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 palmtreegreen

palmtreegreen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 July 2013 - 01:38 PM

Ok I ran combofix with it on my desktop and closed all applications and virus scanners.  

 

Here is the log.  It found a few files.

 

Attached Files



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 31 July 2013 - 03:28 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 PM

Posted 06 August 2013 - 01:46 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users