Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tons of My Web Search infections removed but....


  • This topic is locked This topic is locked
19 replies to this topic

#1 sh4rkbyt3

sh4rkbyt3

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 08 October 2013 - 09:45 PM

Using several tools I discovered several infections (mostly My Web Search variety) as well as a few others. Using Malwarebytes, Combofic and JRT, I removed what I was able to find but am still experiencing very slow start up and a long delay of black screen when my OS (Vista) starts up.

 

I've saved the log files to my desktop if you need them but will wait per your instructions before i post or do anything else.

Included below is the dds.txt file:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16506
Run by Richard Graven Jr at 22:39:16 on 2013-10-08
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1982.904 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
StartupFolder: c:\users\richar~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - <orphaned>
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mcafee.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{851D6A6A-3782-411F-9686-0D871CE78E56} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{B0717666-99DE-4E14-B322-505B7C9031E4} : DHCPNameServer = 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-10-7 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-10-7 177864]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-10-7 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-10-7 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-10-7 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-10-7 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-10-7 46808]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-16 21504]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-2-6 13672]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Viewpoint Service;Viewpoint Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-5-24 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
.
=============== Created Last 30 ================
.
2013-10-08 20:56:43 -------- d-----w- c:\users\richard graven jr\appdata\roaming\SUPERAntiSpyware.com
2013-10-08 00:07:43 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-10-08 00:07:42 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-10-08 00:07:42 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-10-08 00:07:40 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-10-08 00:06:51 41664 ----a-w- c:\windows\avastSS.scr
2013-10-08 00:06:25 -------- d-----w- c:\program files\AVAST Software
2013-10-08 00:06:12 -------- d-----w- c:\programdata\AVAST Software
2013-10-07 23:34:47 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-10-07 22:44:52 -------- d-sh--w- C:\$RECYCLE.BIN
2013-10-07 22:43:28 -------- d-----w- C:\ComboFix
2013-10-07 03:34:47 -------- d-----w- c:\program files\Defraggler
2013-10-07 03:25:59 -------- d-----w- c:\users\richard graven jr\appdata\local\temp
2013-10-07 03:12:22 98816 ----a-w- c:\windows\sed.exe
2013-10-07 03:12:22 256000 ----a-w- c:\windows\PEV.exe
2013-10-07 03:12:22 208896 ----a-w- c:\windows\MBR.exe
2013-10-07 03:03:06 -------- d-----w- c:\windows\ERUNT
2013-10-06 05:23:48 -------- d-----w- C:\AdwCleaner
2013-10-06 03:20:02 -------- d-----w- c:\users\richard graven jr\appdata\roaming\Malwarebytes
2013-10-06 03:19:54 -------- d-----w- c:\programdata\Malwarebytes
2013-10-06 03:19:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-06 03:19:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-05 22:56:23 0 ----a-w- c:\windows\system32\REN7B6A.tmp
2013-10-05 22:56:23 0 ----a-w- c:\windows\system32\REN7B69.tmp
2013-10-05 22:56:23 0 ----a-w- c:\windows\system32\REN7B68.tmp
2013-10-05 22:06:48 -------- d-----w- c:\users\richard graven jr\appdata\local\Zemana
2013-10-05 21:58:12 -------- d-----w- c:\program files\VS Revo Group
2013-10-05 21:31:59 -------- d-----w- c:\program files\CCleaner
2013-10-05 21:14:34 -------- d-----w- c:\windows\pss
2013-09-24 01:38:00 17154952 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-09-10 20:42:46 615936 ----a-w- c:\windows\system32\themeui.dll
2013-09-10 20:42:43 2049536 ----a-w- c:\windows\system32\win32k.sys
2013-09-10 02:27:08 -------- d-----w- c:\users\richard graven jr\appdata\local\Macromedia
.
==================== Find3M  ====================
.
2013-08-02 04:09:35 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-31 10:00:20 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-07-31 09:52:44 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-07-31 09:52:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-31 09:48:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-07-31 09:48:09 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-07-31 09:45:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-07-17 19:41:34 2048 ----a-w- c:\windows\system32\tzres.dll
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST9120822AS rev.3.BHE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
1 ntkrnlpa!IofCallDriver[0x8247B916] -> \Device\Harddisk0\DR0[0x8548D9B8]
3 CLASSPNP[0x87D9E8B3] -> ntkrnlpa!IofCallDriver[0x8247B916] -> [0x8460B918]
5 acpi[0x806146BC] -> ntkrnlpa!IofCallDriver[0x8247B916] -> \Device\Ide\IdeDeviceP0T0L0-0[0x85013B98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
user != kernel MBR !!!
.
============= FINISH: 22:39:39.78 ===============
 



BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:29 PM

Posted 11 October 2013 - 11:31 AM

Hi sh4rkbyt3,

:welcome: back to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

 

Yes, I'd like to see the latest logs. It's not necessary to rerun the scans at this time.

  1. Please post the latest Combofix log into your next reply
  2. Please post the latest Malwarebytes log into your next reply

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 12 October 2013 - 08:12 AM

Thank you for your help Jason. As requested here are the scan result files:

 

ComboFix 13-10-04.02 - Richard Graven Jr 10/06/2013  23:16:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1982.1252 [GMT -4:00]
Running from: c:\users\Richard Graven Jr\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-07 to 2013-10-07  )))))))))))))))))))))))))))))))
.
.
2013-10-07 03:25 . 2013-10-07 03:26 -------- d-----w- c:\users\Richard Graven Jr\AppData\Local\temp
2013-10-07 03:25 . 2013-10-07 03:25 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-10-07 03:25 . 2013-10-07 03:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-10-07 03:03 . 2013-10-07 03:03 -------- d-----w- c:\windows\ERUNT
2013-10-06 05:23 . 2013-10-06 05:25 -------- d-----w- C:\AdwCleaner
2013-10-06 03:20 . 2013-10-06 03:20 -------- d-----w- c:\users\Richard Graven Jr\AppData\Roaming\Malwarebytes
2013-10-06 03:19 . 2013-10-06 03:19 -------- d-----w- c:\programdata\Malwarebytes
2013-10-06 03:19 . 2013-10-06 03:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-06 03:19 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-05 22:56 . 2013-10-05 22:56 0 ----a-w- c:\windows\system32\REN7B6A.tmp
2013-10-05 22:56 . 2013-10-05 22:56 0 ----a-w- c:\windows\system32\REN7B69.tmp
2013-10-05 22:56 . 2013-10-05 22:56 0 ----a-w- c:\windows\system32\REN7B68.tmp
2013-10-05 22:06 . 2013-10-05 22:06 -------- d-----w- c:\users\Richard Graven Jr\AppData\Local\Zemana
2013-10-05 21:58 . 2013-10-05 21:58 -------- d-----w- c:\program files\VS Revo Group
2013-10-05 21:31 . 2013-10-05 21:32 -------- d-----w- c:\program files\CCleaner
2013-09-24 01:38 . 2013-09-24 01:38 17154952 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-09-10 22:07 . 2013-09-10 22:07 -------- d-----w- c:\users\Richard Graven Jr\AppData\Roaming\vlc
2013-09-10 20:42 . 2013-07-16 04:35 615936 ----a-w- c:\windows\system32\themeui.dll
2013-09-10 20:42 . 2013-08-08 01:45 2049536 ----a-w- c:\windows\system32\win32k.sys
2013-09-10 02:27 . 2013-09-10 02:27 -------- d-----w- c:\users\Richard Graven Jr\AppData\Local\Macromedia
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-02 04:09 . 2013-08-28 20:45 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-17 19:41 . 2013-08-16 00:49 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-10 09:47 . 2013-08-16 00:49 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 12:10 . 2013-08-16 00:49 1205168 ----a-w- c:\windows\system32\ntdll.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
c:\users\Richard Graven Jr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Constant Guard.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Constant Guard.lnk
backup=c:\windows\pss\Constant Guard.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Amazon Cloud Player]
2013-07-22 01:08 3109376 ----a-w- c:\users\Richard Graven Jr\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2012-03-08 22:50 4280184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-10-18 20:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 19:02]

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.05.07

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Richard Graven Jr :: RICHARDGRAVE-PC [administrator]

10/5/2013 11:20:38 PM
MBAM-log-2013-10-06 (01-00-59).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 383078
Time elapsed: 1 hour(s), 34 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 7
HKCR\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} (PUP.Optional.BrowseFox.A) -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.Optional.FunWebProducts.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.Optional.FunWebProducts.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.Optional.FunWebProducts.A) -> No action taken.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> No action taken.

Registry Values Detected: 1
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: tCzv1T1R0V1L1KtF0Yzs -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 8
C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Cache (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96} (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Cache (PUP.Optional.Tarma.A) -> No action taken.
C:\Program Files\FunWebProducts\Installr (PUP.Optional.FunWebProducts.A) -> No action taken.
C:\Program Files\FunWebProducts\Installr\2.bin (PUP.Optional.FunWebProducts.A) -> No action taken.
C:\Program Files\FunWebProducts\Installr\2.bin\chrome (PUP.Optional.FunWebProducts.A) -> No action taken.

Files Detected: 12
C:\Program Files\KeyBar_1.8\KeyBar_1.8ToolbarHelper.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\Users\Richard Graven Jr\AppData\Local\Conduit\CT3311667\KeyBar_1.8AutoUpdateHelper.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Richard Graven Jr\AppData\Local\Temp\nsb6B44.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Richard Graven Jr\Favorites\Online Security Test.url (Rogue.Link) -> No action taken.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.dat (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.exe (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.ico (PUP.Optional.Tarma.A) -> No action taken.
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setup.dll (PUP.Optional.Tarma.A) -> No action taken.

(end)



#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:29 PM

Posted 12 October 2013 - 04:18 PM

sh4rkbyt3,

Rerun Malwarebytes

  • Open Malwarebytes and click on the Update tab. Click the Check for Updates button.  If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 13 October 2013 - 12:20 AM

Jason,

Here is the latest MBAM scan results after the update you requested (which installed succesfully).

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.13.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Richard Graven Jr :: RICHARDGRAVE-PC [administrator]

10/13/2013 12:24:03 AM
mbam-log-2013-10-13 (00-24-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210586
Time elapsed: 21 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:29 PM

Posted 13 October 2013 - 10:06 AM

sh4rkbyt3,

How is the computer running now? Is it still slow to start up?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 13 October 2013 - 07:22 PM

Yes, there is an extremely long pause with black screen after the password start up screen and then the actual desktop, it's easily about 2 minutes or a little longer.


Edited by sh4rkbyt3, 13 October 2013 - 08:54 PM.


#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:29 PM

Posted 14 October 2013 - 10:24 AM

You could be correct. How long have you noticed it being this slow?

 

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 14 October 2013 - 04:27 PM

Ok I've used ESET before and accepted the .CAB file install but on the second notice (Microsoft UAC) wants to add on Internet Explorer Add-on Installer {BDB57FF2-79B9-4205-9447-F5Fe85F37312}? Checked it out and saw it was in regards to Adobe Flashplayer not working or needs to be installed?

Ok update, went to adobe.com and tried to install Flashplayer but it will not install, it's stuck on page 2 of 3 and will not go any further. It's starts initializing and then the bar simply disappears and the page stays there doing nothing. I even tried shutting down Avast temporarily thinking it perhaps was blocking the download but it's not.


Edited by sh4rkbyt3, 14 October 2013 - 04:40 PM.


#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:29 PM

Posted 14 October 2013 - 05:24 PM

Sounds good   :thumbup2:  (it's also good to have the latest version of Flash, some malware uses vulnerabilities in older Flash versions.)


Edited by jntkwx, 14 October 2013 - 05:24 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 14 October 2013 - 07:23 PM

Uhm not to sound ungrateful but I couldn't run Eset and I'm unable to load in the newest version of Flashplayer?



#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:29 PM

Posted 14 October 2013 - 07:42 PM

That's odd. Did you get any error messages, or did it just not load?


Let's double check you have the latest Flash version.

 

You can do that here: http://get.adobe.com/flashplayer/otherversions/


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 15 October 2013 - 09:26 PM

No it just wouldn't load. I accepted the download and try to run it but it's being blocked somehow?



#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:08:29 PM

Posted 15 October 2013 - 09:30 PM

Let's try another online scanner.

Please run the F-Secure Online Scanner
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy & Paste the entire report in your next reply.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 16 October 2013 - 11:11 PM

Performed the online scan but there were no instructions and no reference to show report either. First scan showed a hidden rootkit but was then followed up by Avast performing a boot scan before i could stop it.

Follow up scan with F-Secure resulted in nothing found but still having the delayed startup issue,






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users