Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR infection has scvhost at 100% CPU


  • This topic is locked This topic is locked
14 replies to this topic

#1 Shaldreth

Shaldreth

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 14 August 2013 - 08:26 AM

Hello all. I posted originally in the "Am I infected?" section, and posted logs from Security Check, FSS, MiniToolbox, MBAM, MB Rootkit,  and rKill over there, was informed that I had an MBR infection, and directed here.

For a quick overview, for the past few days, my computer has been running at 100% CPU, courtesy of the scvhost (netscvs).exe process, but none of the services associated with it seemed to be using a significant amount of CPU themselves, and while my malware and virus programs had found a couple of infections, none of them seemed to be the issue.

Original Thread Here
http://www.bleepingcomputer.com/forums/t/504128/netsvcs-has-cpu-at-100/
 

Attach Log

Attached File  attach.txt   7.92KB   3 downloads

DDS Log

================

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.7600.16839  BrowserJavaVersion: 1.6.0_37
Run by Alys at 9:07:54 on 2013-08-14
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.1913.1316 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\System32\osk.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uProxyOverride = 127.0.0.1:9421;<local>;*.local
uURLSearchHooks: {ba14329e-9550-4989-b3f2-9732e92d17cc} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\users\alys\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: GamesBarBHO Class: {CB0D163C-E9F4-4236-9496-0597E24B23A5} - c:\program files\gamesbar\2.0.1.55\oberontb.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: GamesBar: {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - c:\program files\gamesbar\2.0.1.55\oberontb.dll
uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO
uRun: [F.lux] "c:\users\alys\local settings\apps\f.lux\flux.exe" /noshow
uRun: [SearchEngineProtection] c:\program files\gamesbar\SearchEngineProtection.exe
uRun: [AdobeBridge] <no file>
uRunOnce: [osk.exe] osk.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [zzzHPSETUP] D:\Setup.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [UnlockerAssistant] "c:\users\alys\program files\unlocker\UnlockerAssistant.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [osk.exe] osk.exe
StartupFolder: c:\users\alys\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\alys\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\alys\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D}
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 128.192.1.9 128.192.1.193 128.192.1.19
TCP: Interfaces\{2B628043-564D-499C-B681-5AC04A3A786D} : DHCPNameServer = 12.127.17.72 12.127.16.68 12.127.16.67
TCP: Interfaces\{34B400D1-914A-45B7-A980-2709AB18B532} : DHCPNameServer = 128.192.1.9 128.192.1.193 128.192.1.19
TCP: Interfaces\{34B400D1-914A-45B7-A980-2709AB18B532}\05147535 : DHCPNameServer = 128.192.1.9 128.192.1.193 128.192.1.19
TCP: Interfaces\{34B400D1-914A-45B7-A980-2709AB18B532}\247514478656E637 : DHCPNameServer = 101.250.211.1
TCP: Interfaces\{34B400D1-914A-45B7-A980-2709AB18B532}\37861627 : DHCPNameServer = 10.0.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\alys\appdata\roaming\mozilla\firefox\profiles\ed92jjk0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.uga.edu/
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.149\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\vizzed\vizzed retro game room\NpVizzedRgr.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\alys\appdata\local\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\users\alys\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\alys\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\alys\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\users\alys\program files\amazon\npAmazonMP3DownloaderPlugin101752.dll
FF - plugin: c:\users\alys\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\users\alys\program files\divx\divx web player\npdivx32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2013-7-10 243128]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-08-13 15:51:46 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-08-12 13:49:40 60872 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{bd41d153-f807-491a-9257-e050735915d8}\offreg.dll
2013-08-12 13:47:51 -------- d-----w- c:\users\alys\appdata\local\SvchostViewer
2013-08-10 00:42:20 -------- d-----w- c:\users\alys\appdata\local\Programs
2013-08-09 23:15:11 7143960 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{bd41d153-f807-491a-9257-e050735915d8}\mpengine.dll
2013-08-09 23:08:36 492032 ----a-w- c:\windows\system32\win32spl.dll
2013-08-09 23:08:35 219136 ----a-w- c:\windows\system32\ncrypt.dll
2013-08-09 23:08:33 376832 ----a-w- c:\windows\system32\dpnet.dll
2013-08-09 23:08:32 1210728 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-08-09 23:08:19 2691072 ----a-w- c:\windows\system32\mstscax.dll
2013-08-09 23:08:18 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-08-09 23:08:18 131072 ----a-w- c:\windows\system32\aaclient.dll
2013-08-09 23:06:24 2345984 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 23:06:22 1388544 ----a-w- c:\windows\system32\msxml6.dll
2013-08-09 23:06:18 1287528 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-09 23:06:17 187240 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-08-09 23:06:16 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-08-09 10:53:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-08-09 10:53:30 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-08-09 10:39:50 5120 ----a-w- c:\windows\system32\wmi.dll
2013-08-09 10:39:50 19312 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-08-09 10:39:49 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-09 10:39:49 158720 ----a-w- c:\windows\system32\imagehlp.dll
2013-08-09 10:33:59 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
2013-07-24 20:20:19 -------- d-----r- c:\users\alys\Dropbox
2013-07-24 20:09:42 -------- d-----w- c:\users\alys\appdata\roaming\Dropbox
.
==================== Find3M  ====================
.
2013-08-10 00:56:44 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2013-07-11 00:21:41 243128 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
============= FINISH:  9:13:34.45 ===============
 


Edited by Shaldreth, 14 August 2013 - 08:27 AM.


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 14 August 2013 - 06:22 PM

Hello Shaldreth, and welcome to the forums!

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please do not run any other tools without my instruction to do so!

==========

Step :step1:

  • Double click ListParts.exe to launch the program.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on your Desktop.
  • Please post me the contents of the log.

==========

Step :step2:

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg
  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png
  • Click Start Scan and allow the scan process to run


    tds4-1.jpg
  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.
    ***Do NOT select Delete!
  • Click Continue


    tds6.jpg
  • Click Reboot computer
  • Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply

==========

Please include both requested logs in your next reply, and let me know how the machine is running now!

bloopie



#3 Shaldreth

Shaldreth
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 14 August 2013 - 07:29 PM

Hello, thank you so much for your response! Unfortunately, I do not currently have my original Windows CD available, but after following the steps you posted, my computer seems to be running better! scvhost is no longer taking up so much CPU; I actually have idle time on my processor now! :guitar: 

That said, I'll still include the logs below, just in case you see something that needs further action. xD I'd like to know if it would be safe to remove the other three things that TDSSKiller found, either with it or another program.

==ListParts Log==

 

ListParts by Farbar Version: 10-05-2013
Ran by Shaldreth (administrator) on 14-08-2013 at 19:56:28
Windows 7 (X86)
Running From: C:\Users\Shaldreth\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 25%
Total physical RAM: 1912.87 MB
Available physical RAM: 1423 MB
Total Pagefile: 3825.74 MB
Available Pagefile: 3363.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.76 MB

======================= Partitions =========================

1 Drive c: (TI102605W0F) (Fixed) (Total:223.27 GB) (Free:83.4 GB) NTFS ==>[System with boot components (obtained from reading drive)]

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          232 GB      0 B        

Partitions of Disk 0:
===============

Disk ID: 6C676C67

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery          1500 MB  1024 KB
  Partition 2    Primary            223 GB  1501 MB
  Partition 3    Primary              8 GB   224 GB

======================================================================================================

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2         System       NTFS   Partition   1500 MB  Healthy    Hidden 

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     C   TI102605W0F  NTFS   Partition    223 GB  Healthy    Boot   

======================================================================================================

Disk: 0
Partition 3
Type  : 17
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 6C676C67
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=223 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=8 GB) - (Type=17)

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {a11d6ca6-d308-11de-93a5-93efb310d1e0}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {a11d6ca8-d308-11de-93a5-93efb310d1e0}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \windows
resumeobject            {a11d6ca6-d308-11de-93a5-93efb310d1e0}
nx                      OptOut

Windows Boot Loader
-------------------
identifier              {a11d6ca8-d308-11de-93a5-93efb310d1e0}
device                  ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{a11d6ca9-d308-11de-93a5-93efb310d1e0}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{a11d6ca9-d308-11de-93a5-93efb310d1e0}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {a11d6ca6-d308-11de-93a5-93efb310d1e0}
device                  partition=C:
path                    \windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {a11d6ca9-d308-11de-93a5-93efb310d1e0}
description             Ramdisk Options
ramdisksdidevice        partition=\Device\HarddiskVolume1
ramdisksdipath          \Recovery\WindowsRE\boot.sdi

****** End Of Log ******

==TDSSKiller Log==
Attached, because the forum told me my reply was too long with it as in-line text. xD;;
Attached File  TDSSKiller.2.8.16.0_14.08.2013_20.01.29_log.txt   330.29KB   7 downloads



#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 15 August 2013 - 10:23 AM

Hello again,
 

Hello, thank you so much for your response!

but after following the steps you posted, my computer seems to be running better! scvhost is no longer taking up so much CPU; I actually have idle time on my processor now! :guitar:

It's my pleasure, and glad to hear your machine is running better! :)

 

I'd like to know if it would be safe to remove the other three things that TDSSKiller found, either with it or another program.

No, you should leave those detections alone.
 
Now, let's get a log from Combofix:

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

bloopie

#5 Shaldreth

Shaldreth
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 15 August 2013 - 04:47 PM

Here we are! It ran first time. =]

ComboFix 13-08-15.02 - Shaldreth 08/15/2013  17:33:19.1.1 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.1913.1195 [GMT -4:00]
Running from: c:\users\Shaldreth\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\245337r41f060nm5sc34053da45p08wb8sf13d412u
c:\programdata\Microsoft\Windows\DRM\CD7C.tmp
c:\users\Alys\Favorites\mbam-setup-1.51.2.1300.exe
c:\users\Alys\wrar391.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-15 to 2013-08-15  )))))))))))))))))))))))))))))))
.
.
2013-08-15 21:43 . 2013-08-15 21:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-15 21:43 . 2013-08-15 21:43 -------- d-----w- c:\users\Alys\AppData\Local\temp
2013-08-15 21:43 . 2013-08-15 21:44 -------- d-----w- c:\users\Shaldreth\AppData\Local\temp
2013-08-15 21:43 . 2013-08-15 21:43 -------- d-----w- c:\users\Mantis\AppData\Local\temp
2013-08-15 21:43 . 2013-08-15 21:43 -------- d-----w- c:\users\Fai\AppData\Local\temp
2013-08-15 00:15 . 2013-08-15 00:15 -------- d-----w- c:\users\Shaldreth\AppData\Local\Apple
2013-08-15 00:03 . 2013-08-15 00:03 -------- d-----w- C:\TDSSKiller_Quarantine
2013-08-13 15:51 . 2013-08-13 16:28 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-08-13 15:35 . 2013-08-13 15:35 -------- d-----w- c:\users\Shaldreth\AppData\Local\Google
2013-08-12 13:49 . 2013-08-12 13:49 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD41D153-F807-491A-9257-E050735915D8}\offreg.dll
2013-08-12 13:47 . 2013-08-12 13:47 -------- d-----w- c:\users\Alys\AppData\Local\SvchostViewer
2013-08-10 00:42 . 2013-08-10 00:42 -------- d-----w- c:\users\Alys\AppData\Local\Programs
2013-08-09 23:15 . 2013-07-15 07:34 7143960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD41D153-F807-491A-9257-E050735915D8}\mpengine.dll
2013-08-09 23:08 . 2012-11-09 04:49 492032 ----a-w- c:\windows\system32\win32spl.dll
2013-08-09 23:08 . 2012-11-20 05:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2013-08-09 23:08 . 2012-11-02 04:48 376832 ----a-w- c:\windows\system32\dpnet.dll
2013-08-09 23:08 . 2013-04-12 13:58 1210728 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-08-09 23:08 . 2013-02-12 15:13 2691072 ----a-w- c:\windows\system32\mstscax.dll
2013-08-09 23:08 . 2013-02-12 15:07 131072 ----a-w- c:\windows\system32\aaclient.dll
2013-08-09 23:08 . 2013-02-12 13:59 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-08-09 23:06 . 2013-03-01 03:11 2345984 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 23:06 . 2012-11-02 04:50 1388544 ----a-w- c:\windows\system32\msxml6.dll
2013-08-09 23:06 . 2013-01-04 04:55 1287528 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-09 23:06 . 2013-01-04 04:55 187240 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-08-09 23:06 . 2013-02-12 13:51 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-08-09 10:53 . 2012-12-16 14:25 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-08-09 10:53 . 2012-12-16 14:25 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-08-09 10:39 . 2012-03-01 05:53 19312 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-08-09 10:39 . 2012-03-01 05:40 5120 ----a-w- c:\windows\system32\wmi.dll
2013-08-09 10:39 . 2012-03-01 05:49 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-09 10:39 . 2012-03-01 05:45 158720 ----a-w- c:\windows\system32\imagehlp.dll
2013-08-09 10:33 . 2011-08-17 04:26 465408 ----a-w- c:\windows\system32\psisdecd.dll
2013-07-24 20:20 . 2013-08-14 15:08 -------- d-----r- c:\users\Alys\Dropbox
2013-07-24 20:09 . 2013-08-14 15:08 -------- d-----w- c:\users\Alys\AppData\Roaming\Dropbox
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-11 00:21 . 2013-07-11 00:21 243128 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2012-07-31 18:02 . 2011-08-20 21:50 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyTOSHIBA"="c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe" [2009-08-06 264048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-09-17 611672]
"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"osk.exe"="osk.exe" [2009-07-14 646144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-06-21 162408]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-03-25 95304]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-10 1343400]
R3 XDva390;XDva390;c:\windows\system32\XDva390.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-07-11 243128]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-11-05 376832]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-09-17 111960]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 68287978
*NewlyCreated* - 91664523
*Deregistered* - 68287978
*Deregistered* - 91664523
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ    Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 21:08]
.
2013-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 21:08]
.
2013-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2162491530-918225128-1166052022-1001Core.job
- c:\users\Alys\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-25 17:59]
.
2013-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2162491530-918225128-1166052022-1001UA.job
- c:\users\Alys\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-25 17:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 128.192.1.9 128.192.1.193 128.192.1.19
FF - ProfilePath - c:\users\Shaldreth\AppData\Roaming\Mozilla\Firefox\Profiles\hotlemkc.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKLM-Run-zzzHPSETUP - D:\Setup.exe
HKLM-Run-UnlockerAssistant - c:\users\Alys\Program Files\Unlocker\UnlockerAssistant.exe
SafeBoot-01522368.sys
SafeBoot-68287978.sys
AddRemove-Steam App 18700 - c:\program files\Steam\steam.exe
AddRemove-Steam App 58200 - c:\program files\Steam\steam.exe
AddRemove-Steam App 70400 - c:\program files\Steam\steam.exe
AddRemove-Xvid Video Codec 1.3.1 - c:\users\Alys\Downloads\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-08-15  17:46:06
ComboFix-quarantined-files.txt  2013-08-15 21:46
.
Pre-Run: 96,964,915,200 bytes free
Post-Run: 97,806,028,800 bytes free
.
- - End Of File - - D38F49B87FFBC783A109D3E598561FA7
5B5E648D12FCADC244C1EC30318E1EB9
 


Edited by Shaldreth, 15 August 2013 - 04:48 PM.


#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 16 August 2013 - 04:14 PM

Hello again,
 
That's not looking too bad, but I must issue you a couple of warnings:
 
  :step1:

Going over your logs I noticed that you have µTorrent and BitTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall µTorrent and BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via add/remove.

 

If you wish to keep it, please do not use it until your computer is cleaned.

==========

:step2:

Online Gaming Warning!

Online gaming sites are a security risk which can make your computer susceptible to a large number of malware infections, remote attacks, exposure of personal information, and identity theft. They can lead to other sites containing malware which you can inadvertently download without knowledge. Users visiting such sites may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Gaming sites can put you at risk to fraud, phishing and theft of personal data. Even if the gaming site is a clean site, there is always the potential of some type of malware making its way there and then onto your system. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.

More specifically, I noticed you had WildTangent on your computer.
WildTangent Program Warning

Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although its not technically considered spyware it does have built in components to update itself and gather information about the computer system including:

  • Operating System Version
  • CPU Type and Speed
  • Memory Amount
  • Video Card type and Driver Version
  • Sound Card type and Driver Version
  • DirectX Version
  • Location that the Web Driver was installed from

For that reason I would suggest you uninstalled it via add/remove.

Reboot after the uninstallation.<- Important.

==========

Now, let run a couple of scans for leftovers:

Step :step3:

Please update your MBAM, run a Full System Scan (removing anything it finds), and post that log in your next reply.

==========

Step :step4:

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

==========

Step :step5:

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

==========

Please post all requested logs in your next reply, and let me know the state of the machine!!

bloopie



#7 Shaldreth

Shaldreth
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 18 August 2013 - 11:12 PM

Hello, sorry it took me so long to get back to you on this, I've had a hectic couple of days.
 

I did indeed remove both uTorrent and BitTorrent from my computer as you requested. WildTangent games came installed on my computer when I purchased it, but I removed that as well, since I never play any of the games anyway.

The computer seems to be running fine after all of these.
 

== MBAM Record ==
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.18.05

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Alys :: GLADOS [administrator]

8/18/2013 10:19:17 PM
mbam-log-2013-08-18 (22-19-17).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 433989
Time elapsed: 1 hour(s), 36 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

== Adw Cleaner ==
# AdwCleaner v2.306 - Logfile created 08/18/2013 at 23:59:57
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium  (32 bits)
# User : Alys - GLADOS
# Boot Mode : Normal
# Running from : C:\Users\Alys\Desktop\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\GamesBar
Folder Deleted : C:\ProgramData\GamesBar
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GamesBar
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Alys\AppData\Local\Conduit
Folder Deleted : C:\Users\Alys\AppData\Local\PackageAware
Folder Deleted : C:\Users\Alys\AppData\LocalLow\boost_interprocess
Folder Deleted : C:\Users\Alys\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Alys\AppData\Roaming\Mozilla\Firefox\Profiles\ed92jjk0.default\extensions\staged
Folder Deleted : C:\Users\Alys\AppData\Roaming\SendSpace

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A93C934-025B-4C3A-B38E-9654A7003239}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6F282B65-56BF-4BD1-A8B2-A4449A05863D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Software
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{BA14329E-9550-4989-B3F2-9732E92D17CC}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{BA14329E-9550-4989-B3F2-9732E92D17CC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16839

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

File : C:\Users\Shaldreth\AppData\Roaming\Mozilla\Firefox\Profiles\hotlemkc.default\prefs.js

[OK] File is clean.

File : C:\Users\Alys\AppData\Roaming\Mozilla\Firefox\Profiles\ed92jjk0.default\prefs.js

Deleted : user_pref("browser.search.defaultenginename", "Web Search");

File : C:\Users\Fai\AppData\Roaming\Mozilla\Firefox\Profiles\mexwnaba.default\prefs.js

[OK] File is clean.

-\\ Opera v12.16.1860.0

File : C:\Users\Alys\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

File : C:\Users\Fai\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4926 octets] - [18/08/2013 23:57:30]
AdwCleaner[S1].txt - [4793 octets] - [18/08/2013 23:59:57]

########## EOF - C:\AdwCleaner[S1].txt - [4853 octets] ##########
 

== JRT ==

Attached File  JRT.txt   35.88KB   1 downloads


Edited by Shaldreth, 18 August 2013 - 11:13 PM.


#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 19 August 2013 - 10:45 AM

Hello again,
 
Good work, now just a couple of more scans and then we'll be ready to finish up!
 
Step  :step1:

Run a Combofix Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy the text in the codebox below, then paste it into the empty notepad:
 

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Step :step2:

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

==========

In your next reply, please include the Combofix log, and the ESET log if there were any detections (if ESET finds nothing, no log will be produced).

bloopie



#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 22 August 2013 - 10:08 AM

Hello again,

Are you still with me? :)

This is a 3-Day Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie

#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 24 August 2013 - 10:20 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 26 August 2013 - 02:40 PM

This topic has been re-opened at the request of the person who originally posted.

#12 Shaldreth

Shaldreth
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 27 August 2013 - 07:49 PM

Hello again! Sorry for the late replies. I've run both programs you asked me to.

 

== ComboFix Log ==

 

ComboFix 13-08-15.02 - Shaldreth 08/26/2013   9:17.2.1 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.1913.1031 [GMT -4:00]
Running from: c:\users\Shaldreth\Desktop\ComboFix.exe
Command switches used :: c:\users\Shaldreth\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-26 to 2013-08-26  )))))))))))))))))))))))))))))))
.
.
2013-08-26 13:27 . 2013-08-26 13:27 -------- d-----w- c:\users\Mantis\AppData\Local\temp
2013-08-26 13:27 . 2013-08-26 13:27 -------- d-----w- c:\users\Fai\AppData\Local\temp
2013-08-26 13:27 . 2013-08-26 13:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-26 13:27 . 2013-08-26 13:27 -------- d-----w- c:\users\Alys\AppData\Local\temp
2013-08-19 04:06 . 2013-08-19 04:06 -------- d-----w- c:\windows\ERUNT
2013-08-15 21:43 . 2013-08-26 13:27 -------- d-----w- c:\users\Shaldreth\AppData\Local\temp
2013-08-15 00:15 . 2013-08-15 00:15 -------- d-----w- c:\users\Shaldreth\AppData\Local\Apple
2013-08-15 00:03 . 2013-08-15 00:03 -------- d-----w- C:\TDSSKiller_Quarantine
2013-08-13 15:51 . 2013-08-13 16:28 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-08-13 15:35 . 2013-08-13 15:35 -------- d-----w- c:\users\Shaldreth\AppData\Local\Google
2013-08-12 13:49 . 2013-08-12 13:49 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD41D153-F807-491A-9257-E050735915D8}\offreg.dll
2013-08-12 13:47 . 2013-08-12 13:47 -------- d-----w- c:\users\Alys\AppData\Local\SvchostViewer
2013-08-10 00:42 . 2013-08-10 00:42 -------- d-----w- c:\users\Alys\AppData\Local\Programs
2013-08-09 23:15 . 2013-07-15 07:34 7143960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD41D153-F807-491A-9257-E050735915D8}\mpengine.dll
2013-08-09 23:08 . 2012-11-09 04:49 492032 ----a-w- c:\windows\system32\win32spl.dll
2013-08-09 23:08 . 2012-11-20 05:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2013-08-09 23:08 . 2012-11-02 04:48 376832 ----a-w- c:\windows\system32\dpnet.dll
2013-08-09 23:08 . 2013-04-12 13:58 1210728 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-08-09 23:08 . 2013-02-12 15:13 2691072 ----a-w- c:\windows\system32\mstscax.dll
2013-08-09 23:08 . 2013-02-12 15:07 131072 ----a-w- c:\windows\system32\aaclient.dll
2013-08-09 23:08 . 2013-02-12 13:59 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-08-09 23:06 . 2013-03-01 03:11 2345984 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 23:06 . 2012-11-02 04:50 1388544 ----a-w- c:\windows\system32\msxml6.dll
2013-08-09 23:06 . 2013-01-04 04:55 1287528 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-09 23:06 . 2013-01-04 04:55 187240 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-08-09 23:06 . 2013-02-12 13:51 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-08-09 10:53 . 2012-12-16 14:25 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-08-09 10:53 . 2012-12-16 14:25 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-08-09 10:39 . 2012-03-01 05:53 19312 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-08-09 10:39 . 2012-03-01 05:40 5120 ----a-w- c:\windows\system32\wmi.dll
2013-08-09 10:39 . 2012-03-01 05:49 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-09 10:39 . 2012-03-01 05:45 158720 ----a-w- c:\windows\system32\imagehlp.dll
2013-08-09 10:33 . 2011-08-17 04:26 465408 ----a-w- c:\windows\system32\psisdecd.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-11 00:21 . 2013-07-11 00:21 243128 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2012-07-31 18:02 . 2011-08-20 21:50 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MyTOSHIBA"="c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe" [2009-08-06 264048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-09-17 611672]
"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"osk.exe"="osk.exe" [2009-07-14 646144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-06-21 162408]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-03-25 95304]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-10 1343400]
R3 XDva390;XDva390;c:\windows\system32\XDva390.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-07-11 243128]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-11-05 376832]
S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-02-11 54136]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-09-17 111960]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ    Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 21:08]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 21:08]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2162491530-918225128-1166052022-1001Core.job
- c:\users\Alys\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-25 17:59]
.
2013-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2162491530-918225128-1166052022-1001UA.job
- c:\users\Alys\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-25 17:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 128.192.1.9 128.192.1.193 128.192.1.19
FF - ProfilePath - c:\users\Shaldreth\AppData\Roaming\Mozilla\Firefox\Profiles\hotlemkc.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-GamesBar - c:\program files\GamesBar\uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-08-26  09:28:59
ComboFix-quarantined-files.txt  2013-08-26 13:28
ComboFix2.txt  2013-08-15 21:46
.
Pre-Run: 99,098,640,384 bytes free
Post-Run: 99,073,720,320 bytes free
.
- - End Of File - - 0382099144EB47961C7A1A559E2A1CBC
5B5E648D12FCADC244C1EC30318E1EB9
 

== ESET Log ==

 

C:\Users\Alys\AppData\LocalLow\CDBB.tmp a variant of Win32/Kryptik.BHQT trojan cleaned by deleting - quarantined
C:\Users\Alys\Downloads\installer_openoffice_English.exe Win32/Toolbar.Babylon application cleaned by deleting - quarantined
C:\Users\Alys\Downloads\Setup_FreeConverter.exe Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Users\Alys\Downloads\soundeffects.exe a variant of Win32/InstallIQ.A application cleaned by deleting - quarantined

 

 



#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 28 August 2013 - 12:26 PM

Hello again,

How is your machine running now? Any other problems? If not, we'll do some important updates:

Step :step1:

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

==========

Step :step2:

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit). 64-bit OS users, should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to StartBtn.gif > Control Panel,
    double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u25-windows-i586.exe (or jre-7u25-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus
    tool is installed by default unless you uncheck the McAfee installation box when updating Java.
  • -- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary. To disable the JQS service if you don't want to use it:
    • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
    • Click Ok and reboot your computer.

==========

Let me know when you have completed the above steps, and also let me know if you had any problems! We're nearly finished! :)

bloopie



#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 31 August 2013 - 09:39 AM

Hello again,

Are you still with me? :)

This is a 3-Day Bump! If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie



#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:08:04 AM

Posted 04 September 2013 - 04:29 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users