Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dosearches.com Override


  • This topic is locked This topic is locked
16 replies to this topic

#1 nesska

nesska

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 16 October 2013 - 02:08 AM

Hello, I am having an issue with a website. Normally, I look up the issue and follow the steps to fix this issue, however, I have been on countless sites and none of them have fixed the issue.

 

I went on to the web today and found that all three of my search engines, Chrome, IE and Firefox all start up a website: dosearches.com. I do not have any toolbars, there are no extensions, add-ons or plug-ins. I have reset the default web pages (i.e. yahoo.com/google.com/msn.com) and when going into the internet options after exiting the internet application, they still show as defaults but this website dosearches is overriding it. I've used Norton, malwarebytes and something called Cloud System Booster. I've tried to erase the registry keys and have even went into System32\etc\host and tried to block the site but it still shows up. The last thing I've downloaded was a .rar extractor called IZArc which I have uninstalled. I do not have Snap.do (which is what many websites state to uninstall).

 

I've also have reset Firefox under Help > Troubleshooting and it still shows up.

 

Thank you for your time!

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 16 October 2013 - 03:04 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 nesska

nesska
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 16 October 2013 - 04:49 PM

Marius,
Thank you so much for your quick response. I really appreciate your help. I have the files you requested and followed the instructions you've listed.
 
I did however, run into an issue with the Gmer program. I closed down all applications and browsers as instructed as well as closed all browsers but I received the following message for the following two files:
 
The process cannot access the file because it is being used by another process
C:\Windows\system32\config\system
C:\Users\nesska\ntuser.dat

============================================================

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.5.0
Run by nesska at 14:11:44 on 2013-10-16
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3975.1338 [GMT -7:00]
.
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\dwm.exe
C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Windows\system32\dashost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Windows\system32\lxdkcoms.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Sony\VAIO Control Center\VESMgr.exe
C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler64.exe
C:\Program Files\Sony\VAIO Care\VCPerfService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskhostex.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Sony\VAIO Gate\VAIO Gate.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkClient.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Lexmark 5300 Series\lxdkmon.exe
C:\Program Files (x86)\Lexmark 5300 Series\lxdkamon.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
C:\Program Files\Sony\VAIO Update\VAIOUpdt.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Sony\VAIO Improvement\vim.exe
C:\Program Files\Sony\VAIO Update\VUAgent.exe
C:\Program Files\Sony\VAIO Care\ESRV\esrv.exe
C:\Program Files\Sony\VAIO Improvement\vim.exe
C:\Program Files\Sony\VAIO Care\VCSystemTray.exe
C:\Program Files\Sony\VAIO Care\VCService.exe
C:\Program Files\Sony\VAIO Care\VCAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Anvisoft\Cloud System Booster\CSBSvc.exe
C:\Program Files (x86)\Anvisoft\Cloud System Booster\CloudSystemBooster.exe
C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\calc.exe
c:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
c:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
C:\Program Files\Sony\VAIO Care\VCSystemTray.exe
C:\Windows\System32\SettingSyncHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Improvement\viuploader.exe
C:\Windows\System32\wsqmcons.exe
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sony13.msn.com
uSearch Bar = Preserve
uDefault_Page_URL = hxxp://sony13.msn.com
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ips\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\coieplg.dll
TB: QuickShare Widget: {ae07101b-46d4-4a98-af68-0333ea26e113} -
uRun: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
uRun: [Google Update] "C:\Users\nesska\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [GoogleChromeAutoLaunch_4CC5797CDBEF30D7510BD1BE4B97B158] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [CloudSystemBooster] C:\Program Files (x86)\Anvisoft\Cloud System Booster\CloudSystemBooster.exe hide=true
mRun: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\nesska\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
mPolicies-Explorer: NoDriveTypeAutoRun = dword:181
mPolicies-System: DisableCAD = dword:1
mPolicies-System: SynchronousUserGroupPolicy = dword:0
mPolicies-System: SynchronousMachineGroupPolicy = dword:0
mPolicies-Windows\System: AllowBlockingAppsAtShutdown = dword:1
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{48971EA9-4629-43DC-8EA7-DA55A54483E2} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{48971EA9-4629-43DC-8EA7-DA55A54483E2}\0484F6D65644548303 : DHCPNameServer = 192.168.0.1 0.0.0.0 0.0.0.0
TCP: Interfaces\{48971EA9-4629-43DC-8EA7-DA55A54483E2}\451697C6F6270247279607C65647472E08993702758494455402940584F4E454 : DHCPNameServer = 198.224.168.135 198.224.171.135
TCP: Interfaces\{48971EA9-4629-43DC-8EA7-DA55A54483E2}\4556E64616 : DHCPNameServer = 192.168.15.1
TCP: Interfaces\{9F29E656-1C6D-48D1-92EC-16E0012AB314} : DHCPNameServer = 62.24.0.88
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=hp&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802
x64-mDefault_Page_URL = hxxp://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=hp&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802
x64-BHO: <No Name>: {31ad400d-1b06-4e33-a59a-90c2c140cba0} - LocalServer32 - <no file>
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: QuickShare Widget: {ae07101b-46d4-4a98-af68-0333ea26e113} -
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SONYAPO
x64-Run: [BtPreLoad] "C:\Program Files (x86)\Bluetooth Suite\BtPreLoad.exe"
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [lxdkmon.exe] "C:\Program Files (x86)\Lexmark 5300 Series\lxdkmon.exe"
x64-Run: [lxdkamon] "C:\Program Files (x86)\Lexmark 5300 Series\lxdkamon.exe"
x64-mPolicies-Explorer: NoDriveTypeAutoRun = dword:181
x64-mPolicies-System: DisableCAD = dword:1
x64-mPolicies-System: SynchronousUserGroupPolicy = dword:0
x64-mPolicies-System: SynchronousMachineGroupPolicy = dword:0
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\nesska\AppData\Roaming\Mozilla\Firefox\Profiles\0wnqynfw.default-1381874282210\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40818.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Sony\ReaderDesktop\npreaderdetectmoz.dll
FF - plugin: C:\Users\nesska\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Users\nesska\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\nesska\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\nesska\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-10-15 11:58; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\IPSFF
FF - ExtSQL: 2013-10-15 14:45; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\Windows\System32\Drivers\iaStorA.sys [2012-11-3 645952]
R0 SymDS;Symantec Data Store;C:\Windows\System32\Drivers\N360x64\1404000.028\symds64.sys [2013-6-12 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\Drivers\N360x64\1404000.028\symefa64.sys [2013-6-12 1139800]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\BASHDefs\20131002.001\BHDrvx64.sys [2013-10-1 1525848]
R1 ccSet_N360;Norton 360 Settings Manager;C:\Windows\System32\Drivers\N360x64\1404000.028\ccsetx64.sys [2013-6-12 169048]
R1 CLVirtualDrive;CLVirtualDrive;C:\Windows\System32\Drivers\CLVirtualDrive.sys [2012-11-3 92536]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.2.0.19\Definitions\IPSDefs\20131014.001\IDSviA64.sys [2013-10-15 520280]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\Drivers\N360x64\1404000.028\ironx64.sys [2013-6-12 224416]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\Drivers\N360x64\1404000.028\symnets.sys [2013-6-12 433752]
R2 AnviCsbSvc;Anvi Cloud System Booster Speed Service;C:\Program Files (x86)\Anvisoft\Cloud System Booster\CSBSvc.exe [2012-12-14 318312]
R2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Bluetooth Suite\AdminService.exe [2012-8-13 211584]
R2 ESRV_SVC;Energy Server Service;C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe [2013-5-29 377768]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2012-11-3 2445968]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2012-11-3 128896]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-11-3 165760]
R2 lxdk_device;lxdk_device;C:\Windows\System32\lxdkcoms.exe -service --> C:\Windows\System32\lxdkcoms.exe -service [?]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-8-26 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-8-26 701512]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\20.4.0.40\ccsvchst.exe [2013-6-12 144368]
R2 SampleCollector;Intel® System Behavior Tracker Collector Service;C:\Program Files\Sony\VAIO Care\VCPerfService.exe [2013-5-29 266168]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-11-3 364416]
R2 ZAtheros Bt&Wlan Coex Agent;ZAtheros Bt&Wlan Coex Agent;C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [2012-8-13 323584]
R3 AthBTPort;Qualcomm Atheros Virtual Bluetooth Class;C:\Windows\System32\Drivers\btath_flt.sys [2012-11-3 88728]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\System32\Drivers\btath_a2dp.sys [2012-11-3 344216]
R3 btath_avdt;Qualcomm Atheros Bluetooth AVDT Service;C:\Windows\System32\Drivers\btath_avdt.sys [2012-11-3 114840]
R3 BTATH_BUS;Qualcomm Atheros Bluetooth Bus;C:\Windows\System32\Drivers\btath_bus.sys [2012-11-3 33944]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\System32\Drivers\btath_hcrp.sys [2012-11-3 178840]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\System32\Drivers\btath_lwflt.sys [2012-11-3 76952]
R3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\System32\Drivers\btath_rcp.sys [2012-11-3 135832]
R3 BTATH_VDP;Bluetooth VDP Driver;C:\Windows\System32\Drivers\btath_vdp.sys [2012-11-3 427416]
R3 BtFilter;BtFilter;C:\Windows\System32\Drivers\btfilter.sys [2012-11-3 567808]
R3 BthLEEnum;Bluetooth Low Energy Driver;C:\Windows\System32\Drivers\BthLEEnum.sys [2012-7-25 202752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-9-16 140376]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\Drivers\IntcDAud.sys [2012-8-22 342528]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\Drivers\mbam.sys [2013-8-26 25928]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\Drivers\RtsPStor.sys [2012-11-3 339600]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2012-7-31 683664]
R3 semav6thermal64ro;semav6thermal64ro;C:\Windows\System32\Drivers\semav6thermal64ro.sys [2013-9-25 13792]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\System32\Drivers\SFEP.sys [2012-7-16 14336]
R3 SmbDrvI;SmbDrvI;C:\Windows\System32\Drivers\Smb_driver_Intel.sys [2012-8-21 43832]
R3 SOWS;Sony Wireless State Device;C:\Windows\System32\Drivers\sows.sys [2012-7-5 24280]
R3 SpfService;VAIO Entertainment Common Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-12-1 289952]
R3 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2012-8-8 972000]
R3 VCService;VCService;C:\Program Files\Sony\VAIO Care\VCService.exe [2013-8-9 57944]
R3 VUAgent;VUAgent;C:\Program Files\Sony\VAIO Update\VUAgent.exe [2012-11-3 1266336]
S0 klelam;klelam;C:\Windows\System32\Drivers\klelam.sys [2012-7-27 29616]
S0 SymELAM;Symantec ELAM Driver;C:\Windows\System32\Drivers\N360x64\1404000.028\symelam.sys [2013-6-12 23448]
S2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxdkserv.exe [2007-6-14 33712]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\Drivers\ssudbus.sys [2013-6-4 103448]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\Drivers\e1y60x64.sys [2012-6-2 283136]
S3 NetworkSupport;NetworkSupport;C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkSupport.exe [2012-11-3 623784]
S3 SOHCImp;VAIO Content Importer;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2012-8-8 123616]
S3 SOHDms;VAIO Digital Media Server;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2012-8-8 460512]
S3 SOHDs;VAIO Device Searcher;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2012-8-8 78048]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\Drivers\ssudmdm.sys [2013-6-4 203672]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\Drivers\usbaapl64.sys [2012-12-13 54784]
S3 USER_ESRV_SVC;User Energy Server Service;C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe [2013-5-29 377768]
S3 VAIO Power Management;VAIO Power Management;C:\Program Files\Sony\VAIO Power Management\SPMService.exe [2012-11-3 476328]
S3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-10-15 22:15:47 -------- d-----w- C:\Program Files (x86)\Anvisoft
2013-10-15 18:54:08 -------- d-----w- C:\Users\nesska\AppData\Local\Bundled software uninstaller
2013-10-15 18:49:50 -------- d-----w- C:\ProgramData\eSafe
2013-10-13 22:11:32 278704 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10220.bin
2013-10-13 21:36:07 10116608 ----a-w- C:\Windows\System32\twinui.dll
2013-10-13 21:36:05 8858112 ----a-w- C:\Windows\SysWow64\twinui.dll
2013-10-13 21:36:04 1125888 ----a-w- C:\Windows\System32\msctf.dll
2013-10-13 21:36:03 893952 ----a-w- C:\Windows\SysWow64\msctf.dll
2013-10-13 21:34:38 652288 ----a-w- C:\Windows\System32\comctl32.dll
2013-10-13 21:34:38 541696 ----a-w- C:\Windows\SysWow64\comctl32.dll
2013-10-13 21:29:47 4040192 ----a-w- C:\Windows\System32\win32k.sys
2013-10-13 21:29:43 79192 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-10-13 21:29:43 623448 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2013-10-13 21:29:43 498008 ----a-w- C:\Windows\System32\drivers\usbport.sys
2013-10-13 21:29:43 21848 ----a-w- C:\Windows\System32\drivers\usbd.sys
2013-10-13 21:29:42 32256 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2013-10-13 21:29:42 120832 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2013-10-13 21:29:39 447320 ----a-w- C:\Windows\System32\drivers\USBHUB3.SYS
2013-10-13 21:29:39 337752 ----a-w- C:\Windows\System32\drivers\USBXHCI.SYS
2013-10-13 21:29:39 213336 ----a-w- C:\Windows\System32\drivers\UCX01000.SYS
2013-10-13 21:29:38 124112 ----a-w- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2013-10-13 21:29:38 102608 ----a-w- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2013-10-01 19:22:07 -------- d-----w- C:\Program Files (x86)\Origin Games
2013-10-01 19:21:21 -------- d-----w- C:\Users\nesska\AppData\Roaming\Origin
2013-10-01 19:21:14 -------- d-----w- C:\Users\nesska\AppData\Local\Origin
2013-10-01 19:19:36 -------- d-----w- C:\ProgramData\Origin
2013-10-01 19:19:35 -------- d-----w- C:\ProgramData\Electronic Arts
2013-10-01 19:19:34 -------- d-----w- C:\Program Files (x86)\Origin
2013-09-30 18:18:21 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-09-30 18:18:21 -------- d-----w- C:\Program Files\iTunes
2013-09-30 18:18:21 -------- d-----w- C:\Program Files\iPod
2013-09-30 18:18:21 -------- d-----w- C:\Program Files (x86)\iTunes
2013-09-25 09:13:11 13792 ----a-w- C:\Windows\System32\drivers\semav6thermal64ro.sys
2013-09-17 08:17:02 -------- d-----w- C:\Program Files (x86)\Norseman Games
2013-09-17 07:28:24 -------- d-----w- C:\Program Files (x86)\ActiveSkin
2013-09-17 05:18:27 78296 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-17 05:18:26 694232 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
==================== Find3M  ====================
.
2013-09-22 23:28:06 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-09-22 22:55:10 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-09-22 22:54:51 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-08-16 05:41:13 58200 ----a-w- C:\Windows\System32\drivers\dam.sys
2013-08-16 05:39:26 2371728 ----a-w- C:\Windows\System32\WSService.dll
2013-08-16 05:32:48 209200 ----a-w- C:\Windows\System32\NotificationUI.exe
2013-08-16 05:22:22 40448 ----a-w- C:\Windows\System32\wuapp.exe
2013-08-16 05:22:11 4917760 ----a-w- C:\Windows\System32\sppsvc.exe
2013-08-16 05:20:30 105984 ----a-w- C:\Windows\System32\WinSetupUI.dll
2013-08-15 22:43:21 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2013-08-15 22:43:07 84992 ----a-w- C:\Windows\SysWow64\wudriver.dll
2013-08-15 22:43:07 126976 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2013-08-15 22:43:03 562688 ----a-w- C:\Windows\SysWow64\WSShared.dll
2013-08-15 22:43:03 159232 ----a-w- C:\Windows\SysWow64\WSSync.dll
2013-08-15 22:43:02 83968 ----a-w- C:\Windows\SysWow64\OEMLicense.dll
2013-08-15 22:43:02 167424 ----a-w- C:\Windows\SysWow64\WSClient.dll
2013-08-15 22:43:02 143872 ----a-w- C:\Windows\SysWow64\Windows.ApplicationModel.Store.dll
2013-08-15 22:43:02 124928 ----a-w- C:\Windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
2013-08-15 22:42:52 76800 ----a-w- C:\Windows\SysWow64\setupcln.dll
2013-08-15 22:42:47 91648 ----a-w- C:\Windows\SysWow64\sppc.dll
2013-08-10 05:21:51 448512 ----a-w- C:\Windows\System32\SettingSync.dll
2013-08-10 05:21:51 128512 ----a-w- C:\Windows\System32\SettingSyncInfo.dll
2013-08-10 03:58:51 356352 ----a-w- C:\Windows\SysWow64\SettingSync.dll
2013-08-07 05:15:02 144896 ----a-w- C:\Windows\System32\tssdisai.dll
2013-08-03 06:40:49 462336 ----a-w- C:\Windows\System32\sysmon.ocx
2013-08-03 06:40:17 566784 ----a-w- C:\Windows\System32\wvc.dll
2013-08-03 06:40:01 1374208 ----a-w- C:\Windows\System32\wdc.dll
2013-08-03 05:14:15 399360 ----a-w- C:\Windows\SysWow64\sysmon.ocx
2013-08-03 05:13:57 437248 ----a-w- C:\Windows\SysWow64\wvc.dll
2013-08-03 05:13:43 1245696 ----a-w- C:\Windows\SysWow64\wdc.dll
2013-08-02 06:26:53 2304512 ----a-w- C:\Windows\System32\authui.dll
2013-08-02 05:06:50 2035712 ----a-w- C:\Windows\SysWow64\authui.dll
2013-08-01 10:41:31 2233688 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-07-27 03:58:39 2207232 ----a-w- C:\Windows\SysWow64\PrintConfig.dll
2013-07-24 23:10:08 158208 ----a-w- C:\Windows\SysWow64\mbsmsapi.dll
2013-07-24 23:06:39 225280 ----a-w- C:\Windows\System32\mbsmsapi.dll
.
============= FINISH: 14:11:58.10 ===============

 

Attached File  attach.zip   2.21KB   1 downloads
 


ark.txt

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-10-16 14:27:02
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000038 Hitachi_HTS545050A7E380 rev.GG2OA7B0 465.76GB
Running: cx6iwd4j.exe; Driver: C:\Users\nesska\AppData\Local\Temp\kwnyraod.sys

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\csrss.exe [684:708]                           fffff960009865e8
Thread  C:\Windows\system32\svchost.exe [884:3056]                        000007ff7d201f34
Thread  C:\Windows\system32\svchost.exe [1336:1668]                       000007ff865f31a0
Thread  C:\Windows\system32\svchost.exe [1336:2440]                       000007ff865f9c68
Thread  C:\Windows\system32\svchost.exe [1336:2664]                       000007ff83ec24e8
Thread  C:\Windows\system32\svchost.exe [1336:2756]                       000007ff83b91544
Thread  C:\Windows\system32\svchost.exe [1336:2764]                       000007ff83b755dc
Thread  C:\Windows\system32\svchost.exe [1336:2812]                       000007ff81944910
Thread  C:\Windows\system32\svchost.exe [1336:5712]                       000007ff81941044
Thread  C:\Program Files\Windows Media Player\wmpnscfg.exe [12088:12180]  000007ff85321b94
Thread  C:\Program Files\Windows Media Player\wmpnscfg.exe [10712:9524]   000007ff8c9a23a8
Thread  C:\Program Files\Windows Media Player\wmpnscfg.exe [10712:11728]  000007ff85321b94
Thread  C:\Program Files\Windows Media Player\wmpnscfg.exe [10712:9632]   000007ff873e3fd0

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                             unknown MBR code

---- EOF - GMER 2.1 ----



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 17 October 2013 - 02:29 AM

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

 

 

 

ShortcutCleaner

 

Please download this file to your desktop and run it: http://www.bleepingcomputer.com/download/shortcut-cleaner/

It will open up a log when finished - please post that up here.


Edited by TB-Psychotic, 17 October 2013 - 02:51 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 nesska

nesska
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 18 October 2013 - 07:27 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-10-18 17:18:55
-----------------------------
17:18:55.992    OS Version: Windows x64 6.2.9200
17:18:55.992    Number of processors: 4 586 0x3A09
17:18:55.992    ComputerName: TRUTHFILLEDLIES  UserName: nesska
17:18:56.414    Initialze error 1
17:23:01.813    AVAST engine defs: 13101801
17:26:19.354    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000038
17:26:19.369    Disk 0 Vendor: Hitachi_HTS545050A7E380 GG2OA7B0 Size: 476940MB BusType: 11
17:26:19.385    Disk 0 MBR read successfully
17:26:19.385    Disk 0 MBR scan
17:26:19.385    Disk 0 unknown MBR code
17:26:19.385    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
17:26:19.400    Disk 0 scanning C:\Windows\system32\drivers
17:26:19.400    Service scanning
17:26:20.010    Modules scanning
17:26:20.010    Disk 0 trace - called modules:
17:26:20.010   
17:26:20.025    AVAST engine scan C:\Windows
17:26:20.025    AVAST engine scan C:\Windows\system32
17:26:20.025    AVAST engine scan C:\Windows\system32\drivers
17:26:20.025    AVAST engine scan C:\Users\nesska
17:26:20.041    AVAST engine scan C:\ProgramData
17:26:20.041    Scan finished successfully
17:26:33.903    Disk 0 MBR has been saved successfully to "C:\Users\nesska\Desktop\MBR.dat"
17:26:33.919    The log file has been saved successfully to "C:\Users\nesska\Desktop\aswMBR.txt"

 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 20 October 2013 - 12:24 PM

Then we need the Shortcut Cleaner log as well.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 nesska

nesska
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 20 October 2013 - 11:32 PM

I'm sorry, Marius. I did not see that. Here is the information:

 

Shortcut Cleaner 1.2.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
 http://www.bleepingcomputer.com/download/shortcut-cleaner/

Windows Version: Windows 8
Program started at: 10/20/2013 09:30:28 PM.

Scanning for registry hijacks:

 * No issues found in the Registry.

Searching for Hijacked Shortcuts:

Searching C:\Users\nesska\AppData\Roaming\Microsoft\Windows\Start Menu\

  * Shortcut Cleaned: C:\Users\nesska\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

  * Shortcut Cleaned: C:\Users\nesska\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => C:\Program Files (x86)\Mozilla Firefox\firefox.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

  * Shortcut Cleaned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

  * Shortcut Cleaned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => C:\Program Files (x86)\Mozilla Firefox\firefox.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

Searching C:\Users\nesska\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

  * Shortcut Cleaned: C:\Users\nesska\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

  * Shortcut Cleaned: C:\Users\nesska\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

  * Shortcut Cleaned: C:\Users\nesska\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk => C:\Program Files\Internet Explorer\iexplore.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

  * Shortcut Cleaned: C:\Users\nesska\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk => C:\Program Files (x86)\Mozilla Firefox\firefox.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

Searching C:\Users\Public\Desktop\

  * Shortcut Cleaned: C:\Users\Public\Desktop\Google Chrome.lnk => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe http://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=sc&from=smt&uid=HitachiXHTS545050A7E380_121002TA95113VKWZ68SX&ts=1381298802

Searching C:\Users\nesska\Desktop

9 bad shortcuts found.

Program finished at: 10/20/2013 09:30:34 PM
Execution time: 0 hours(s), 0 minute(s), and 6 seconds(s)



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 21 October 2013 - 04:23 AM

No problem! :)

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 nesska

nesska
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 25 October 2013 - 07:46 PM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.25.09

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16721
nesska :: TRUTHFILLEDLIES [administrator]

10/25/2013 3:41:59 PM
mbam-log-2013-10-25 (15-41-59).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 468031
Time elapsed: 1 hour(s), 32 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#10 nesska

nesska
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 25 October 2013 - 09:58 PM

C:\Users\nesska\Downloads\IZArcInstall.exe Win32/OpenCandy application
 



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 26 October 2013 - 03:42 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 nesska

nesska
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 28 October 2013 - 01:56 AM

# AdwCleaner v3.010 - Report created 27/10/2013 at 23:48:13
# Updated 20/10/2013 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : nesska - TRUTHFILLEDLIES
# Running from : C:\Users\nesska\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BA5HDA95\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\eSafe
Folder Deleted : C:\Program Files (x86)\WinZip Registry Optimizer
Folder Deleted : C:\Users\nesska\AppData\Local\Bundled software uninstaller
Folder Deleted : C:\Users\nesska\AppData\Local\Google\Chrome\User Data\Default\Extensions\amfclgbdpgndipgoegfpkkgobahigbcl
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Users\nesska\AppData\Roaming\Mozilla\Firefox\Profiles\0wnqynfw.default-1381874282210\searchplugins\safesearch.xml

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\iesmartbar.bandobjectattribute
Key Deleted : HKLM\SOFTWARE\Classes\iesmartbar.dockingpanel
Key Deleted : HKLM\SOFTWARE\Classes\iesmartbar.iesmartbar
Key Deleted : HKLM\SOFTWARE\Classes\iesmartbar.iesmartbarbandobject
Key Deleted : HKLM\SOFTWARE\Classes\iesmartbar.smartbardisplaystate
Key Deleted : HKLM\SOFTWARE\Classes\iesmartbar.smartbarmenuform
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\QuickShare_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\QuickShare_RASMANCS
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WsysSvc
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7D86A08B-0A8F-4BE0-B693-F05E6947E780}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Key Deleted : HKCU\Software\BI
Key Deleted : HKCU\Software\smartbar

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16537

Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\nesska\AppData\Roaming\Mozilla\Firefox\Profiles\0wnqynfw.default-1381874282210\prefs.js ]

-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\nesska\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage

*************************

AdwCleaner[R0].txt - [4833 octets] - [27/10/2013 20:44:01]
AdwCleaner[S0].txt - [4177 octets] - [27/10/2013 23:48:13]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4237 octets] ##########



#13 nesska

nesska
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 28 October 2013 - 02:01 AM

 Results of screen317's Security Check version 0.99.74 
   x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Windows Defender  
Norton 360        
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java™ 7 Update 5 
 Java version out of Date!
 Adobe Flash Player  11.9.900.117 
 Mozilla Firefox (24.0)
 Google Chrome 30.0.1599.101 
 Google Chrome 30.0.1599.69 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 AM

Posted 28 October 2013 - 04:31 AM

Your system is clean! :)

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 nesska

nesska
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:44 AM

Posted 29 October 2013 - 04:37 PM

I cannot download JavaScript. I cannot download, delete or save/update any files. This started last night.

 

It is stating that several things are corrupted. I tried to delete the TEMP folder but it will not allow me. I tried to move the Temporary Internet Files folder but it disappears.


Edited by nesska, 29 October 2013 - 04:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users