Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i keep getting infected with ransomeware


  • This topic is locked This topic is locked
33 replies to this topic

#1 jabronii64

jabronii64

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 09:24 AM

hello, my computer keeps getting infected with ransomeware and i have to keep trying to get rid of it but it seems im missing something. I was hoping you would be able to get rid of this for good.



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 26 August 2013 - 09:28 AM



Hello jabronii64

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.



-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jabronii64

jabronii64
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 10:18 AM

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16502
Run by Ike at 11:14:03 on 2013-08-26
Microsoft® Windows Vista™ Enterprise   6.0.6002.2.1252.1.1033.18.2037.1168 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/?cid=insDate12232012
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111215184556.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{07BC44A2-E1FB-4FB3-A63A-28A93CA12027} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{4B2EE47B-0283-413E-80DD-A67216BB6DCA} : DHCPNameServer = 68.87.66.249 162.150.8.28
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-15 436728]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-12-15 162928]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-17 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-16 701512]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-15 159320]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-15 145936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-16 22856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-15 171296]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-15 58456]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2010-11-5 227328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-8-14 31560]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-15 85152]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
.
=============== Created Last 30 ================
.
2013-08-26 00:45:14 7166848 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{87a9cc49-236c-4e6a-980b-00ff493d2371}\mpengine.dll
2013-08-17 19:01:53 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-17 19:01:53 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-17 19:01:53 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-08-14 18:48:02 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-08-14 17:05:12 -------- d-----w- C:\AdwCleaner
2013-08-14 02:20:35 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 02:20:35 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-08-14 02:20:33 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 02:18:39 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 02:18:32 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 02:16:49 992768 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 02:16:49 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 02:16:49 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 02:16:49 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-01 20:11:29 -------- d-----w- c:\program files\ESET
2013-08-01 19:11:26 7166848 ------w- c:\programdata\microsoft\windows defender\definition updates\updates\mpengine.dll
2013-08-01 17:26:38 -------- d-----w- C:\FRST
2013-07-29 03:43:52 -------- d-----w- C:\TDSSKiller_Quarantine
2013-07-28 04:17:46 -------- d-----w- c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2013-07-28 03:59:17 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-28 03:59:17 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-25 02:32:35 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-07-25 02:26:10 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-07-25 02:25:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-25 02:23:59 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-07-25 02:23:58 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-07-25 02:22:35 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-06-04 01:50:43 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-06-01 04:06:08 505344 ----a-w- c:\windows\system32\qedit.dll
.
============= FINISH: 11:14:36.96 ===============
 

this is the attach

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 11/4/2010 9:01:20 PM
System Uptime: 8/26/2013 10:58:19 AM (1 hours ago)
.
Motherboard: Sony Corporation |  | VAIO
Processor: Genuine Intel® CPU           T2250  @ 1.73GHz | N/A | 1733/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 85.735 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel
.
==== System Restore Points ===================
.
RP746: 8/7/2013 1:34:31 PM - Windows Update
RP747: 8/8/2013 6:01:18 PM - Scheduled Checkpoint
RP750: 8/10/2013 12:32:40 PM - ComboFix created restore point
RP751: 8/11/2013 2:16:23 AM - Scheduled Checkpoint
RP752: 8/11/2013 11:07:13 AM - Windows Update
RP753: 8/13/2013 2:34:27 PM - Windows Update
RP754: 8/13/2013 10:07:30 PM - Windows Update
RP755: 8/14/2013 3:01:07 AM - Windows Update
RP756: 8/14/2013 3:16:59 PM - Malwarebytes Anti-Rootkit Restore Point
RP757: 8/15/2013 3:00:26 AM - Windows Update
RP758: 8/17/2013 3:02:20 PM - Windows Update
RP759: 8/18/2013 3:00:20 AM - Windows Update
RP760: 8/19/2013 3:02:14 AM - Scheduled Checkpoint
RP761: 8/20/2013 9:37:30 PM - Scheduled Checkpoint
RP762: 8/22/2013 1:05:55 AM - Scheduled Checkpoint
RP763: 8/23/2013 1:40:06 AM - Scheduled Checkpoint
RP764: 8/24/2013 3:00:30 AM - Windows Update
RP765: 8/26/2013 1:37:59 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.7)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applet
Bonjour
ESET Online Scanner v3
GameFly
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Internet Explorer (Enable DEP)
iTunes
Java™ 6 Update 37
Malwarebytes Anti-Malware version 1.75.0.1300
McAfee Agent
McAfee VirusScan Enterprise
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Fix it Center
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Communicator 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
SonicStage 4.3
Sony Snymsico for Vista
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2768023) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817642) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Resource Kit Tools - SubInAcl.exe
.
==== Event Viewer Messages From Past Week ========
.
8/26/2013 11:00:23 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  is3srv szkg5 szkgfs
8/26/2013 11:00:23 AM, Error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
8/23/2013 11:35:21 AM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
8/21/2013 11:07:07 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the stisvc service.
.
==== End Of File ===========================
 



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 26 August 2013 - 11:20 AM



Hello jabronii64

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jabronii64

jabronii64
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 11:34 AM

# AdwCleaner v3.001 - Report created 26/08/2013 at 12:30:58
# Updated 24/08/2013 by Xplode
# Operating System : Windows Vista ™ Enterprise Service Pack 2 (32 bits)
# Username : Ike - IKE-PC
# Running from : C:\Users\Ike\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

*************************

AdwCleaner[0].txt - [640 octets] - [14/08/2013 13:05:21]
AdwCleaner[1].txt - [698 octets] - [19/08/2013 01:41:22]
AdwCleaner[R0].txt - [752 octets] - [26/08/2013 10:27:01]
AdwCleaner[R1].txt - [870 octets] - [26/08/2013 12:29:30]
AdwCleaner[S0].txt - [812 octets] - [26/08/2013 10:57:33]
AdwCleaner[S1].txt - [792 octets] - [26/08/2013 12:30:58]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [851 octets] ##########



#6 jabronii64

jabronii64
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 11:41 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.4 (08.22.2013:1)
OS: Windows Vista ™ Enterprise x86
Ran by Ike on Mon 08/26/2013 at 12:36:02.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 08/26/2013 at 12:39:03.93
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#7 jabronii64

jabronii64
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 11:44 AM

it looks clean but these are the two programs i usually run but i still end up infected with the same virus.



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 26 August 2013 - 08:54 PM


Hello jabronii64

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jabronii64

jabronii64
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 10:04 PM

im trying to download but i keep receiving a message saying combofix contained a virus and was deleted 



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 26 August 2013 - 10:25 PM

Hello



***** I will need you to download this program from a clean computer and transfer it to this computer via a flash drive or a pen drive to run. *****


This is only a scan to give me information that i will need to remove the virus

Please download the Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.
When the tool opens click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run.

Please attach that log to your reply.
The first time the tool is run, it makes a second log (Addition.txt).
Please attach that to your reply as well
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jabronii64

jabronii64
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 10:49 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-08-2013 01
Ran by Ike (administrator) on 26-08-2013 23:44:07
Running from G:\
Microsoft® Windows Vista™ Enterprise  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\UdaterUI.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\McTray.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\internet explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [McAfeeUpdaterUI] - C:\Program Files\McAfee\Common Framework\udaterui.exe [161088 2011-01-12] (McAfee, Inc.)
HKLM\...\Run: [ShStatEXE] - C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [215360 2011-01-12] (McAfee, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM\...\Run: [MRT] - C:\Windows\system32\MRT.exe [75778376 2013-08-14] (Microsoft Corporation)
HKCU\...\Run: [Google Update*] -  [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\System32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xfinity.comcast.net/?cid=insDate12232012
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {B104EB13-F523-406F-AC8B-DEBE58F5D77A} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ie8
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111215184556.dll (McAfee, Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Winsock: Catalog9 19 mswsock.dll File Not found ()
Winsock: Catalog9 20 mswsock.dll File Not found ()
Winsock: Catalog9 21 mswsock.dll File Not found ()
Winsock: Catalog9 22 mswsock.dll File Not found ()
Winsock: Catalog9 23 mswsock.dll File Not found ()
Winsock: Catalog9 24 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

========================== Services (Whitelisted) =================

R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [120128 2011-01-12] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [159320 2011-12-15] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe [209760 2011-01-12] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [145936 2011-12-15] (McAfee, Inc.)
S3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [57344 2006-12-14] ()
S3 SonicStage Back-End Service; C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe [112184 2007-02-05] (Sony Corporation)
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69632 2006-12-14] (Sony Corporation)
S3 SSScsiSV; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [75320 2007-02-05] (Sony Corporation)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}\   \...\???\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [31560 2013-08-14] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [116104 2011-12-15] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [171296 2011-12-15] (McAfee, Inc.)
R3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [58456 2011-12-15] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [436728 2011-12-15] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [85152 2011-12-15] (McAfee, Inc.)
R1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [162928 2011-12-15] (McAfee, Inc.)
R3 ti21sony; C:\Windows\System32\drivers\ti21sony.sys [227328 2006-11-06] (Texas Instruments)
S3 catchme; \??\C:\Users\Ike\AppData\Local\Temp\catchme.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S0 is3srv; system32\drivers\is3srv.sys [x]
U3 mfeavfk01; No ImagePath
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S0 szkg5; system32\DRIVERS\szkg.sys [x]
S0 szkgfs; system32\drivers\szkgfs.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-26 16:00 - 2013-08-26 16:00 - 00000000 __SHD C:\Windows\system32\%APPDATA%
2013-08-26 15:52 - 2013-08-26 15:52 - 00000000 ____D C:\Program Files\Google
2013-08-26 12:39 - 2013-08-26 12:39 - 00000638 _____ C:\Users\Ike\Desktop\JRT.txt
2013-08-26 12:35 - 2013-08-26 12:35 - 01021434 _____ (Thisisu) C:\Users\Ike\Desktop\JRT.exe
2013-08-26 12:28 - 2013-08-26 12:28 - 00994642 _____ C:\Users\Ike\Desktop\AdwCleaner.exe
2013-08-26 11:14 - 2013-08-26 11:14 - 00009670 _____ C:\Users\Ike\Desktop\dds.txt
2013-08-26 11:14 - 2013-08-26 11:14 - 00008666 _____ C:\Users\Ike\Desktop\attach.txt
2013-08-26 11:13 - 2013-08-26 11:13 - 00688992 ____R (Swearware) C:\Users\Ike\Desktop\dds.scr
2013-08-23 12:29 - 2013-08-23 12:29 - 00006225 _____ C:\ComboFix.txt
2013-08-17 15:01 - 2013-07-09 08:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-17 15:01 - 2013-07-08 00:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2013-08-17 15:01 - 2013-07-08 00:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\Users\Ike\AppData\Roaming\ejQ1uN2I
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\Users\Ike\AppData\Local\kXAWO9rq
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\ProgramData\4fryui3ypR
2013-08-14 14:48 - 2013-08-14 14:48 - 00031560 _____ C:\Windows\system32\Drivers\mbamchameleon.sys
2013-08-14 14:47 - 2013-08-14 15:17 - 00000000 ____D C:\Users\Ike\Desktop\mbar
2013-08-14 14:47 - 2013-08-14 14:47 - 12081912 _____ (Malwarebytes Corp.) C:\Users\Ike\Desktop\mbar-1.06.1.1005.exe
2013-08-14 13:05 - 2013-08-26 12:30 - 00000000 ____D C:\AdwCleaner
2013-08-14 03:03 - 2013-07-24 22:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-14 03:03 - 2013-07-24 22:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-14 03:03 - 2013-07-24 22:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-14 03:03 - 2013-07-24 22:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-14 03:03 - 2013-07-24 22:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-14 03:03 - 2013-07-24 22:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-08-14 03:03 - 2013-07-24 22:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-08-14 03:03 - 2013-07-24 22:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-14 03:03 - 2013-07-24 22:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-14 03:03 - 2013-07-24 22:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-14 03:03 - 2013-07-24 22:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-14 03:03 - 2013-07-24 22:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-08-14 03:03 - 2013-07-24 22:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-08-14 03:03 - 2013-07-24 22:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-14 03:03 - 2013-07-24 22:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-14 03:03 - 2013-07-24 22:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-08-13 22:20 - 2013-07-05 00:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-13 22:20 - 2013-06-15 09:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll
2013-08-13 22:20 - 2013-06-15 07:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-08-13 22:18 - 2013-07-17 15:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-13 22:18 - 2013-07-10 05:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-13 22:16 - 2013-07-08 00:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-13 22:16 - 2013-07-08 00:16 - 00992768 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-13 22:16 - 2013-07-08 00:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-13 22:16 - 2013-07-08 00:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\Users\Ike\AppData\Roaming\CoqTecjA4
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\Users\Ike\AppData\Local\cZ74uWYE6Vt
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\ProgramData\0T8fQoD5
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\Users\Ike\AppData\Roaming\7MtrpQhHeFs
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\Users\Ike\AppData\Local\zPQoEOa3M
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\ProgramData\NoYFCsRI
2013-08-01 23:27 - 2013-08-26 10:58 - 00003606 _____ C:\Windows\PFRO.log
2013-08-01 16:11 - 2013-08-01 16:11 - 00000000 ____D C:\Program Files\ESET
2013-08-01 16:04 - 2013-08-01 16:05 - 00000940 _____ C:\AdwCleaner[S5].txt
2013-08-01 15:05 - 2013-08-01 15:05 - 00000000 ____D C:\Users\Ike\Downloads\mbar-1.06.0.1004
2013-08-01 15:04 - 2013-08-01 15:04 - 13399154 _____ C:\Users\Ike\Downloads\mbar-1.06.0.1004.zip
2013-08-01 13:26 - 2013-08-01 13:26 - 00000000 ____D C:\FRST
2013-07-28 23:43 - 2013-07-28 23:43 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-07-28 00:17 - 2013-08-14 03:14 - 00000000 ____D C:\Windows\system32\MRT

==================== One Month Modified Files and Folders =======

2013-08-26 23:43 - 2013-08-26 23:43 - 00000286 _____ C:\Users\Ike\Desktop\FRST - Shortcut.lnk
2013-08-26 23:32 - 2012-05-14 16:12 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-26 23:00 - 2006-11-02 09:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-26 23:00 - 2006-11-02 08:48 - 00004368 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-26 23:00 - 2006-11-02 08:48 - 00004368 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-26 22:59 - 2006-11-02 09:01 - 00032582 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-08-26 16:00 - 2013-08-26 16:00 - 00000000 __SHD C:\Windows\system32\%APPDATA%
2013-08-26 15:53 - 2008-01-20 21:34 - 01792656 _____ C:\Windows\WindowsUpdate.log
2013-08-26 15:52 - 2013-08-26 15:52 - 00000000 ____D C:\Program Files\Google
2013-08-26 12:39 - 2013-08-26 12:39 - 00000638 _____ C:\Users\Ike\Desktop\JRT.txt
2013-08-26 12:35 - 2013-08-26 12:35 - 01021434 _____ (Thisisu) C:\Users\Ike\Desktop\JRT.exe
2013-08-26 12:30 - 2013-08-14 13:05 - 00000000 ____D C:\AdwCleaner
2013-08-26 12:28 - 2013-08-26 12:28 - 00994642 _____ C:\Users\Ike\Desktop\AdwCleaner.exe
2013-08-26 11:14 - 2013-08-26 11:14 - 00009670 _____ C:\Users\Ike\Desktop\dds.txt
2013-08-26 11:14 - 2013-08-26 11:14 - 00008666 _____ C:\Users\Ike\Desktop\attach.txt
2013-08-26 11:13 - 2013-08-26 11:13 - 00688992 ____R (Swearware) C:\Users\Ike\Desktop\dds.scr
2013-08-26 11:03 - 2013-07-02 21:18 - 00000000 ____D C:\Windows\erdnt
2013-08-26 10:58 - 2013-08-01 23:27 - 00003606 _____ C:\Windows\PFRO.log
2013-08-25 22:52 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-08-24 03:04 - 2006-11-02 06:33 - 00719076 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-24 03:00 - 2011-09-21 18:05 - 00000000 ____D C:\QUARANTINE
2013-08-23 14:55 - 2010-11-04 18:09 - 00000000 ____D C:\Users\Ike
2013-08-23 14:55 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\system32\spool
2013-08-23 14:55 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\registration
2013-08-23 14:55 - 2006-11-02 06:22 - 42205184 _____ C:\Windows\system32\config\software_previous
2013-08-23 14:55 - 2006-11-02 06:22 - 20185088 _____ C:\Windows\system32\config\system_previous
2013-08-23 12:29 - 2013-08-23 12:29 - 00006225 _____ C:\ComboFix.txt
2013-08-23 11:35 - 2006-11-02 06:23 - 00000215 _____ C:\Windows\system.ini
2013-08-23 10:41 - 2013-07-18 13:02 - 00000000 ____D C:\Users\Ike\AppData\Local\45c09538-ab6b-405d-8fb1-333e2e767ce2ad
2013-08-23 10:31 - 2006-11-02 06:22 - 00262144 _____ C:\Windows\system32\config\sam_previous
2013-08-22 23:52 - 2006-11-02 06:22 - 38273024 _____ C:\Windows\system32\config\components_previous
2013-08-18 03:19 - 2006-11-02 06:22 - 00524288 _____ C:\Windows\system32\config\default_previous
2013-08-18 03:18 - 2006-11-02 06:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2013-08-17 23:26 - 2006-11-02 08:37 - 00000000 ____D C:\Windows\twain_32
2013-08-17 17:53 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\system32\Msdtc
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\Users\Ike\AppData\Roaming\ejQ1uN2I
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\Users\Ike\AppData\Local\kXAWO9rq
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\ProgramData\4fryui3ypR
2013-08-14 15:17 - 2013-08-14 14:47 - 00000000 ____D C:\Users\Ike\Desktop\mbar
2013-08-14 14:48 - 2013-08-14 14:48 - 00031560 _____ C:\Windows\system32\Drivers\mbamchameleon.sys
2013-08-14 14:47 - 2013-08-14 14:47 - 12081912 _____ (Malwarebytes Corp.) C:\Users\Ike\Desktop\mbar-1.06.1.1005.exe
2013-08-14 03:51 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\rescache
2013-08-14 03:14 - 2013-07-28 00:17 - 00000000 ____D C:\Windows\system32\MRT
2013-08-14 03:14 - 2006-11-02 06:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-08-14 03:11 - 2011-09-15 18:39 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-08-14 01:51 - 2006-11-02 07:18 - 00000000 __RSD C:\Windows\Media
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\Users\Ike\AppData\Roaming\CoqTecjA4
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\Users\Ike\AppData\Local\cZ74uWYE6Vt
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\ProgramData\0T8fQoD5
2013-08-10 16:08 - 2013-02-26 16:44 - 00000000 ____D C:\Users\Ike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GameFly
2013-08-10 16:08 - 2012-09-08 13:11 - 00000000 ____D C:\Program Files\GameFly
2013-08-08 20:23 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Resources
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\Users\Ike\AppData\Roaming\7MtrpQhHeFs
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\Users\Ike\AppData\Local\zPQoEOa3M
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\ProgramData\NoYFCsRI
2013-08-02 16:03 - 2012-01-19 20:19 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-08-01 18:50 - 2013-05-21 15:40 - 00000000 ____D C:\JRT
2013-08-01 16:37 - 2010-11-04 18:09 - 00000000 ____D C:\Users\Ike\AppData\Local\VirtualStore
2013-08-01 16:11 - 2013-08-01 16:11 - 00000000 ____D C:\Program Files\ESET
2013-08-01 16:05 - 2013-08-01 16:04 - 00000940 _____ C:\AdwCleaner[S5].txt
2013-08-01 15:05 - 2013-08-01 15:05 - 00000000 ____D C:\Users\Ike\Downloads\mbar-1.06.0.1004
2013-08-01 15:04 - 2013-08-01 15:04 - 13399154 _____ C:\Users\Ike\Downloads\mbar-1.06.0.1004.zip
2013-08-01 13:26 - 2013-08-01 13:26 - 00000000 ____D C:\FRST
2013-07-30 17:51 - 2010-11-05 15:12 - 00000000 ____D C:\Users\Ike\AppData\Local\Apple Computer
2013-07-29 17:19 - 2013-05-17 09:29 - 00000000 ____D C:\ProgramData\HitmanPro
2013-07-29 00:16 - 2006-11-02 07:18 - 00000000 _SHDC C:\Windows\$NtUninstallKB5670$
2013-07-28 23:43 - 2013-07-28 23:43 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-07-27 23:59 - 2012-05-14 16:12 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-07-27 23:59 - 2011-06-05 18:14 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-07-27 23:59 - 2010-11-05 14:04 - 00000000 ____D C:\Users\Ike\AppData\Local\Adobe

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
ZeroAccess:
C:\Users\Ike\AppData\Local\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}
C:\ProgramData\6QM3bO7.dat
C:\Users\Ike\jagex_cl_runescape_LIVE.dat
C:\Users\Ike\jagex_cl_runescape_LIVE1.dat
C:\Users\Ike\jagex_runescape_preferences.dat
C:\Users\Ike\jagex_runescape_preferences2.dat
C:\Users\Ike\AppData\Local\Temp\Quarantine.exe
C:\Users\Ike\AppData\Local\Temp\jrt\erunt\ERUNT.EXE

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

LastRegBack: 2013-08-26 23:05

==================== End Of Log ============================

 

 



#12 jabronii64

jabronii64
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 10:51 PM

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 27-08-2013 01
Ran by Ike at 2013-08-26 23:45:19
Running from G:\
Boot Mode: Normal
==========================================================

==================== Installed Programs =======================

 Update for Microsoft Office 2007 (KB2508958)
Adobe AIR (Version: 3.5.0.600)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.94)
Adobe Reader X (10.1.7) (Version: 10.1.7)
Apple Application Support (Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (Version: 2.1.3.127)
Applet
Bonjour (Version: 3.0.0.10)
ESET Online Scanner v3
GameFly (Version: 1.2.248)
Internet Explorer (Enable DEP)
iTunes (Version: 11.0.4.4)
Java™ 6 Update 37 (Version: 6.0.370)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
McAfee Agent (Version: 4.5.0.1810)
McAfee VirusScan Enterprise (Version: 8.8.00000)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Fix it Center (Version: 1.0.0100)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Communicator 2007 (Version: 2.0.6362.0)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Standard 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00 (Version: 4.7.00.12140)
QuickTime (Version: 7.74.80.86)
SonicStage 4.3 (Version: 4.3)
Sony Snymsico for Vista (Version: 1.00.1109)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB2836940) (Version: 1)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2768023) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817642) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Resource Kit Tools - SubInAcl.exe (Version: 5.2.3790.1164)
 

==================== Restore Points  =========================

07-08-2013 17:34:31 Windows Update
08-08-2013 22:01:18 Scheduled Checkpoint
10-08-2013 16:32:40 ComboFix created restore point
11-08-2013 06:16:23 Scheduled Checkpoint
11-08-2013 15:07:13 Windows Update
13-08-2013 18:34:27 Windows Update
14-08-2013 02:07:30 Windows Update
14-08-2013 07:01:07 Windows Update
14-08-2013 19:16:59 Malwarebytes Anti-Rootkit Restore Point
15-08-2013 07:00:26 Windows Update
17-08-2013 19:02:20 Windows Update
18-08-2013 07:00:20 Windows Update
19-08-2013 07:02:14 Scheduled Checkpoint
21-08-2013 01:37:30 Scheduled Checkpoint
22-08-2013 05:05:55 Scheduled Checkpoint
23-08-2013 05:40:06 Scheduled Checkpoint
24-08-2013 07:00:30 Windows Update
26-08-2013 05:37:59 Scheduled Checkpoint

==================== Hosts content: ==========================

2006-11-02 06:23 - 2013-08-23 11:35 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {256C3222-8D4A-4130-BC57-7FE278EC381C} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe [2008-01-20] ()
Task: {50B6DDA6-8E4F-4B29-AA53-2925589532D3} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\schtasks.exe [2008-01-20] (Microsoft Corporation)
Task: {8257CE67-A9BF-41ED-B024-00E50B889B30} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {8BDE4D48-C446-4B7D-948C-1664E1F34F82} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {8E9A0E90-4C23-4B77-A7AA-E965CF999F13} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-20] (Microsoft Corporation)
Task: {98A865A9-B6DE-46DB-A8F7-863B94ECCDB5} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {9EA92714-E095-4916-878F-B70C5A6352F6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-27] (Adobe Systems Incorporated)
Task: {B36FC2BD-D712-4773-9017-CC4528971435} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-20] ()
Task: {C093CC88-433F-4F70-86A0-42803D2992FC} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {C23E8509-1E88-43DA-806C-3388886415C9} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\OptinNotification => C:\Windows\System32\wsqmcons.exe [2008-01-20] (Microsoft Corporation)
Task: {D1A71284-AB51-4DA7-811A-F35EBDFC6A6B} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Signature Update => c:\program files\windows defender\MpCmdRun.exe [2008-01-20] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Alternate Data Streams (whitelisted) ==========

AlternateDataStreams: C:\Windows\$NtUninstallKB5670$:SummaryInformation

==================== Faulty Device Manager Devices =============

Name: Microsoft 6to4 Adapter
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

==================== Event log errors: =========================

Application errors:
==================
Error: (08/26/2013 11:04:16 PM) (Source: Application Error) (User: )
Description: Faulting application MCUPDATE.EXE, version 8.8.0.777, time stamp 0x4d2e0500, faulting module ntdll.dll, version 6.0.6002.18881, time stamp 0x51da3e27, exception code 0xc0000005, fault offset 0x0003dd6d,
process id 0xba4, application start time 0xMCUPDATE.EXE0.

Error: (08/26/2013 11:04:12 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 7

Error: (08/26/2013 11:01:50 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/26/2013 11:00:21 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 7

Error: (08/26/2013 03:15:09 PM) (Source: McLogEvent) (User: NT AUTHORITY)
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 7

System errors:
=============
Error: (08/26/2013 11:01:51 PM) (Source: Service Control Manager) (User: )
Description: is3srv
szkg5
szkgfs

Error: (08/26/2013 11:01:51 PM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBFE

Error: (08/26/2013 11:01:51 PM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (08/26/2013 11:01:51 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (08/26/2013 11:01:51 PM) (Source: Service Control Manager) (User: )
Description: Computer Browser%%1060

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2013-08-26 23:45:13.157
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-26 23:45:12.877
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-26 23:45:12.608
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-26 23:45:12.326
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-26 23:44:50.277
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-26 23:44:49.984
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-23 12:37:07.901
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-23 12:37:07.671
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-23 12:37:07.442
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-08-23 12:37:07.169
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 51%
Total physical RAM: 2037.45 MB
Available physical RAM: 997 MB
Total Pagefile: 4312.16 MB
Available Pagefile: 3132.5 MB
Total Virtual: 2047.88 MB
Available Virtual: 1910.46 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149.05 GB) (Free:84.8 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive g: (HITMANPRO) (Removable) (Total:7.44 GB) (Free:7.42 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149 GB) (Disk ID: 8E1F7F12)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (Size: 7 GB) (Disk ID: 5026558D)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

==================== End Of Log ============================



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 26 August 2013 - 11:24 PM

Hello jabronii64



I need you to download this script I have made for you --> Attached File  fixlist.txt   2.32KB   4 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 jabronii64

jabronii64
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 26 August 2013 - 11:49 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-08-2013 01
Ran by Ike at 2013-08-27 00:38:09 Run:1
Running from G:\
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\Users\Ike\AppData\Roaming\ejQ1uN2I
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\Users\Ike\AppData\Local\kXAWO9rq
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\ProgramData\4fryui3ypR
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\Users\Ike\AppData\Roaming\CoqTecjA4
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\Users\Ike\AppData\Local\cZ74uWYE6Vt
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\ProgramData\0T8fQoD5
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\Users\Ike\AppData\Roaming\7MtrpQhHeFs
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\Users\Ike\AppData\Local\zPQoEOa3M
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\ProgramData\NoYFCsRI
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\Users\Ike\AppData\Roaming\ejQ1uN2I
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\Users\Ike\AppData\Local\kXAWO9rq
2013-08-16 23:39 - 2013-08-16 23:39 - 00182272 _____ C:\ProgramData\4fryui3ypR
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\Users\Ike\AppData\Roaming\CoqTecjA4
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\Users\Ike\AppData\Local\cZ74uWYE6Vt
2013-08-13 21:35 - 2013-08-13 21:35 - 00182272 _____ C:\ProgramData\0T8fQoD5
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\Users\Ike\AppData\Roaming\7MtrpQhHeFs
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\Users\Ike\AppData\Local\zPQoEOa3M
2013-08-06 17:58 - 2013-08-06 17:58 - 00267776 _____ C:\ProgramData\NoYFCsRI
C:\Windows\assembly\GAC\Desktop.ini
C:\Users\Ike\AppData\Local\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}
C:\Program Files\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}
C:\ProgramData\6QM3bO7.dat
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client
DeleteJunctionsIndirectory: C:\Windows\system64
cmd: Dir /b /a:l "C:\Program Files" /s

*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
C:\Users\Ike\AppData\Roaming\ejQ1uN2I => Moved successfully.
C:\Users\Ike\AppData\Local\kXAWO9rq => Moved successfully.
C:\ProgramData\4fryui3ypR => Moved successfully.
C:\Users\Ike\AppData\Roaming\CoqTecjA4 => Moved successfully.
C:\Users\Ike\AppData\Local\cZ74uWYE6Vt => Moved successfully.
C:\ProgramData\0T8fQoD5 => Moved successfully.
C:\Users\Ike\AppData\Roaming\7MtrpQhHeFs => Moved successfully.
C:\Users\Ike\AppData\Local\zPQoEOa3M => Moved successfully.
C:\ProgramData\NoYFCsRI => Moved successfully.
"C:\Users\Ike\AppData\Roaming\ejQ1uN2I" => File/Directory not found.
"C:\Users\Ike\AppData\Local\kXAWO9rq" => File/Directory not found.
"C:\ProgramData\4fryui3ypR" => File/Directory not found.
"C:\Users\Ike\AppData\Roaming\CoqTecjA4" => File/Directory not found.
"C:\Users\Ike\AppData\Local\cZ74uWYE6Vt" => File/Directory not found.
"C:\ProgramData\0T8fQoD5" => File/Directory not found.
"C:\Users\Ike\AppData\Roaming\7MtrpQhHeFs" => File/Directory not found.
"C:\Users\Ike\AppData\Local\zPQoEOa3M" => File/Directory not found.
"C:\ProgramData\NoYFCsRI" => File/Directory not found.
C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.

"C:\Users\Ike\AppData\Local\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}" directory move:

Could not move "C:\Users\Ike\AppData\Local\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}" directory. => Scheduled to move on reboot.

"C:\Program Files\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}" directory move:

Could not move "C:\Program Files\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c}" directory. => Scheduled to move on reboot.

C:\ProgramData\6QM3bO7.dat => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtMon.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtPlug.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSigDwn.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSoftEx.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Not Found
"C:\Windows\system64" => Not Found

=========  Dir /b /a:l "C:\Program Files" /s =========

File Not Found

========= End of CMD: =========

=========== Result of Scheduled Files to move ===========

C:\Users\Ike\AppData\Local\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c} => Is moved successfully.
C:\Program Files\Google\Desktop\Install\{e5473ecb-a974-1a6e-8dcd-be0507ca847c} => Deleted successfully.

==== End of Fixlog ====



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:13 AM

Posted 27 August 2013 - 12:14 AM


Hello jabronii64

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users