Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Security Pro Malware - No Safe Mode


  • Please log in to reply
3 replies to this topic

#1 Justsalsa

Justsalsa

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 18 October 2013 - 05:25 PM

Hello my name is Austin,

 

As many other posters this past month, my father recently got infected with the Antivirus Security Pro Malware. I built this computer 8 months ago for my father, so I'm almost responsible for anything wrong with it. I'm a novice at most programming lingo, but I am really good at following processes, as it's what I do for a living. I WILL be donating to the person helping, my father needs his computer to do work this weekend. So before we start this process, I want to say "Thank You" in advance.

 

Any way, I tried doing the bleepingcomputer.com solution for the malware, but I have not been able to enter safe mode (shuts down soon after log in).

 

I read a post today on the first step of run the frst.exe file in the infected computer. Please let me know if you prefer for me to paste the report results within my post or attach the file. Here are the text results:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by SYSTEM on MININT-IPBE6V6 on 18-10-2013 17:10:41
Running from H:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [MSC] - "C:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKLM\...\Run: [EvtMgr6] - C:\Program Files\Logitech\SetPointP\SetPoint.exe [1744152 2011-10-07] (Logitech, Inc.)
HKLM\...\Run: [AS2014] - C:\ProgramData\D3nn3733\D3nn3733.exe [533656 2013-10-17] ()
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\D3nn3733\D3nn3733.exe -sm,
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Java\jre6\bin\jusched.exe [149280 2013-01-04] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [37960 2013-05-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44280 2012-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642816 2012-12-18] (Adobe Systems Inc.)
HKU\RichardRice\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\RichardRice\...\Run: [Free Internet Eraser] - C:\Program Files (x86)\PrivacyEraser Computing\Free Internet Eraser\InternetEraser.exe [563840 2012-12-26] (PrivacyEraser Computing, Inc.)
HKU\RichardRice\...\Run: [Google Update] - [x]
HKU\RichardRice\...\Run: [AS2014] - C:\ProgramData\D3nn3733\D3nn3733.exe [533656 2013-10-17] ()
Startup: C:\Users\RichardRice\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Services (Whitelisted) =================
 
S4 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.18\atkexComSvc.exe [918448 2011-10-28] ()
S4 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-02-02] (ASUSTeK Computer Inc.)
S4 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-02-16] (ASUSTeK Computer Inc.)
S4 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.00.21\AsusFanControlService.exe [1478272 2012-01-12] (ASUSTeK Computer Inc.)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{c2c37fed-cd7d-2662-80ff-1651ebb34c7f}\   \...\???\{c2c37fed-cd7d-2662-80ff-1651ebb34c7f}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
S3 AiCharger; C:\Windows\SysWow64\drivers\AiCharger.sys [14592 2010-10-20] (ASUSTek Computer Inc.)
S3 AiCharger; C:\Windows\SysWow64\drivers\AiCharger.sys [14592 2010-10-20] (ASUSTek Computer Inc.)
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-23] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-23] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-02] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-02] ()
S3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-19] (MCCI Corporation)
S3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-19] (MCCI Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S1 qeulhirw; C:\Windows\system32\drivers\qeulhirw.sys [49872 2013-10-18] (Microsoft Corporation)
S3 VLAN; C:\Windows\System32\DRIVERS\RtVLAN620.sys [32360 2011-09-15] (Realtek Corporation)
S1 cbiqtqiw; \??\C:\Windows\system32\drivers\cbiqtqiw.sys [x]
S1 hozzhgid; \??\C:\Windows\system32\drivers\hozzhgid.sys [x]
S1 ldatmafc; \??\C:\Windows\system32\drivers\ldatmafc.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-18 17:10 - 2013-10-18 17:10 - 00000000 ____D C:\FRST
2013-10-18 13:27 - 2013-10-18 13:27 - 00049872 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\qeulhirw.sys
2013-10-18 03:30 - 2013-10-18 13:56 - 00022916 _____ C:\Windows\WindowsUpdate.log
2013-10-18 03:30 - 2013-10-18 13:26 - 00000560 _____ C:\Windows\setupact.log
2013-10-18 03:30 - 2013-10-18 03:34 - 00005992 _____ C:\Windows\PFRO.log
2013-10-18 03:30 - 2013-10-18 03:30 - 00000000 _____ C:\Windows\setuperr.log
2013-10-17 12:47 - 2013-10-17 12:47 - 00074240 _____ C:\Windows\System32\RMAcinit64.dll
2013-10-17 12:47 - 2013-10-17 12:47 - 00065024 _____ C:\Windows\SysWOW64\RMAcinit.dll
2013-10-17 11:54 - 2013-10-18 13:27 - 00000000 ____D C:\ProgramData\D3nn3733
2013-10-17 05:47 - 2013-10-17 05:47 - 00000000 ____D C:\Windows\Temp39907E28-1ADD-A601-12A5-D2800ABECD8B-Signatures
2013-10-16 05:07 - 2013-10-16 05:07 - 00000000 ____D C:\Windows\TempA9BDA872-5B0C-ABED-324D-25BF00B012DA-Signatures
2013-10-11 04:10 - 2013-09-22 15:28 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-10-11 04:10 - 2013-09-22 15:28 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-10-11 04:10 - 2013-09-22 15:27 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-10-11 04:10 - 2013-09-22 14:55 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-10-11 04:10 - 2013-09-22 14:55 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-10-11 04:10 - 2013-09-22 14:55 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-10-11 04:10 - 2013-09-22 14:54 - 19252224 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 02647552 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-10-11 04:10 - 2013-09-22 14:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-10-11 04:10 - 2013-09-20 19:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-10-11 04:10 - 2013-09-20 19:30 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-10-11 04:10 - 2013-09-20 18:48 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-10-11 04:10 - 2013-09-20 18:39 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-10-10 05:31 - 2013-09-13 17:10 - 00497152 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2013-10-10 05:31 - 2013-09-07 18:30 - 01903552 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-10-10 05:31 - 2013-09-07 18:27 - 00327168 _____ (Microsoft Corporation) C:\Windows\System32\mswsock.dll
2013-10-10 05:31 - 2013-09-07 18:03 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2013-10-10 05:31 - 2013-08-28 18:17 - 05549504 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-10-10 05:31 - 2013-08-28 18:16 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-10-10 05:31 - 2013-08-28 18:16 - 00859648 _____ (Microsoft Corporation) C:\Windows\System32\tdh.dll
2013-10-10 05:31 - 2013-08-28 18:16 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-10-10 05:31 - 2013-08-28 18:13 - 00878080 _____ (Microsoft Corporation) C:\Windows\System32\advapi32.dll
2013-10-10 05:31 - 2013-08-28 17:51 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-10-10 05:31 - 2013-08-28 17:51 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-10-10 05:31 - 2013-08-28 17:50 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-10-10 05:31 - 2013-08-28 17:50 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2013-10-10 05:31 - 2013-08-28 17:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-10-10 05:31 - 2013-08-28 17:48 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2013-10-10 05:31 - 2013-08-28 16:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-10-10 05:31 - 2013-08-28 16:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-10-10 05:31 - 2013-08-28 16:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-10-10 05:31 - 2013-08-28 16:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-10-10 05:31 - 2013-08-27 17:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-10-10 05:31 - 2013-08-27 17:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\System32\scavengeui.dll
2013-10-10 05:31 - 2013-08-01 04:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-10-10 05:31 - 2013-07-20 02:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2013-10-10 05:31 - 2013-07-20 02:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2013-10-10 05:31 - 2013-07-12 02:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbcir.sys
2013-10-10 05:31 - 2013-07-04 04:57 - 00259584 _____ (Microsoft Corporation) C:\Windows\System32\WebClnt.dll
2013-10-10 05:31 - 2013-07-04 04:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\System32\comctl32.dll
2013-10-10 05:31 - 2013-07-04 04:50 - 00102400 _____ (Microsoft Corporation) C:\Windows\System32\davclnt.dll
2013-10-10 05:31 - 2013-07-04 03:57 - 00205824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll
2013-10-10 05:31 - 2013-07-04 03:51 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll
2013-10-10 05:31 - 2013-07-04 03:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2013-10-10 05:31 - 2013-07-04 02:11 - 00140800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxdav.sys
2013-10-10 05:31 - 2013-07-02 20:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidclass.sys
2013-10-10 05:31 - 2013-07-02 20:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidparse.sys
2013-10-10 05:31 - 2013-06-25 14:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2013-10-10 05:31 - 2013-06-05 21:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\System32\lpk.dll
2013-10-10 05:31 - 2013-06-05 21:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\System32\fontsub.dll
2013-10-10 05:31 - 2013-06-05 21:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\System32\dciman32.dll
2013-10-10 05:31 - 2013-06-05 21:47 - 00046080 _____ (Adobe Systems) C:\Windows\System32\atmlib.dll
2013-10-10 05:31 - 2013-06-05 20:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2013-10-10 05:31 - 2013-06-05 20:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2013-10-10 05:31 - 2013-06-05 20:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2013-10-10 05:31 - 2013-06-05 19:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2013-10-10 05:31 - 2013-06-05 19:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-10-10 05:31 - 2013-06-05 19:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2013-09-26 06:04 - 2013-09-26 06:04 - 00000000 ____D C:\Users\RichardRice\Desktop\Text
 
==================== One Month Modified Files and Folders =======
 
2013-10-18 17:10 - 2013-10-18 17:10 - 00000000 ____D C:\FRST
2013-10-18 13:56 - 2013-10-18 03:30 - 00022916 _____ C:\Windows\WindowsUpdate.log
2013-10-18 13:46 - 2012-07-08 12:40 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-18 13:33 - 2009-07-13 21:13 - 00730258 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-18 13:33 - 2009-07-13 20:45 - 00022064 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-18 13:33 - 2009-07-13 20:45 - 00022064 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-18 13:31 - 2012-07-07 21:03 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-18 13:29 - 2012-07-07 21:03 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-18 13:27 - 2013-10-18 13:27 - 00049872 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\qeulhirw.sys
2013-10-18 13:27 - 2013-10-17 11:54 - 00000000 ____D C:\ProgramData\D3nn3733
2013-10-18 13:26 - 2013-10-18 03:30 - 00000560 _____ C:\Windows\setupact.log
2013-10-18 13:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-18 03:34 - 2013-10-18 03:30 - 00005992 _____ C:\Windows\PFRO.log
2013-10-18 03:30 - 2013-10-18 03:30 - 00000000 _____ C:\Windows\setuperr.log
2013-10-17 12:47 - 2013-10-17 12:47 - 00074240 _____ C:\Windows\System32\RMAcinit64.dll
2013-10-17 12:47 - 2013-10-17 12:47 - 00065024 _____ C:\Windows\SysWOW64\RMAcinit.dll
2013-10-17 11:58 - 2013-01-13 09:26 - 00000000 ____D C:\Users\RichardRice\Documents\Outlook Files
2013-10-17 05:47 - 2013-10-17 05:47 - 00000000 ____D C:\Windows\Temp39907E28-1ADD-A601-12A5-D2800ABECD8B-Signatures
2013-10-17 05:47 - 2012-07-08 10:25 - 00002148 _____ C:\Windows\epplauncher.mif
2013-10-17 05:47 - 2012-07-08 10:24 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-10-17 05:47 - 2012-07-08 10:24 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-10-16 05:07 - 2013-10-16 05:07 - 00000000 ____D C:\Windows\TempA9BDA872-5B0C-ABED-324D-25BF00B012DA-Signatures
2013-10-11 13:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-10-11 13:24 - 2012-07-07 21:03 - 00003904 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-11 13:24 - 2012-07-07 21:03 - 00003652 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-11 04:29 - 2013-08-15 05:53 - 00000000 ____D C:\Windows\System32\MRT
2013-10-11 04:27 - 2013-03-14 05:50 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-11 04:27 - 2013-03-14 05:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-11 04:27 - 2009-07-13 20:45 - 00419624 _____ C:\Windows\System32\FNTCACHE.DAT
2013-10-11 04:26 - 2013-01-13 08:55 - 00000000 ____D C:\Users\RichardRice\Documents\Excel
2013-10-11 04:11 - 2012-07-08 12:01 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-08 13:50 - 2013-01-02 08:58 - 00000000 ____D C:\Users\RichardRice\AppData\Local\Adobe
2013-10-08 10:54 - 2012-07-08 12:40 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-08 10:54 - 2012-07-08 12:40 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-08 10:54 - 2012-07-08 12:40 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-09-29 18:36 - 2013-08-19 07:03 - 00000000 ____D C:\Windows\pss
2013-09-28 14:56 - 2013-01-13 08:56 - 00000000 ____D C:\Users\RichardRice\Documents\Presentations
2013-09-26 06:04 - 2013-09-26 06:04 - 00000000 ____D C:\Users\RichardRice\Desktop\Text
2013-09-25 22:46 - 2012-07-07 22:08 - 80541720 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-09-25 16:21 - 2012-07-07 21:03 - 00000000 ____D C:\Users\RichardRice\AppData\Local\Google
2013-09-25 16:21 - 2012-07-07 21:03 - 00000000 ____D C:\Program Files (x86)\Google
2013-09-22 15:28 - 2013-10-11 04:10 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-22 15:28 - 2013-10-11 04:10 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-22 15:27 - 2013-10-11 04:10 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-09-22 14:55 - 2013-10-11 04:10 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-09-22 14:55 - 2013-10-11 04:10 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-09-22 14:55 - 2013-10-11 04:10 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-09-22 14:54 - 2013-10-11 04:10 - 19252224 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 02647552 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-09-22 14:54 - 2013-10-11 04:10 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-09-20 19:38 - 2013-10-11 04:10 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-09-20 19:30 - 2013-10-11 04:10 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-20 18:48 - 2013-10-11 04:10 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-20 18:39 - 2013-10-11 04:10 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-09-19 16:01 - 2012-07-08 13:52 - 00000000 ____D C:\Users\RichardRice\Documents\RESUMate
 
Files to move or delete:
====================
ZeroAccess:
C:\Users\RichardRice\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
C:\ProgramData\pvqdkqkjvbllroblbxh.reg
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 7%
Total physical RAM: 16339.58 MB
Available physical RAM: 15191.3 MB
Total Pagefile: 16337.78 MB
Available Pagefile: 15173.89 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:238.47 GB) (Free:145.81 GB) NTFS
Drive d: (Back-Up) (Fixed) (Total:1862.89 GB) (Free:1575.31 GB) NTFS
Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (Hard Disk) (Fixed) (Total:931.41 GB) (Free:929.2 GB) NTFS
Drive h: (HP v115w) (Removable) (Total:3.76 GB) (Free:3.75 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 238 GB) (Disk ID: 74D8B7C4)
Partition 1: (Not Active) - (Size=238 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type
========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 74D8B7BC)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
 
========================================================
Disk: 3 (Size: 4 GB) (Disk ID: 04DD5721)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0C)
 
 
LastRegBack: 2013-10-11 13:44
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 18 October 2013 - 10:41 PM

Justsalsa,

 

 

:welcome: to BC Forums!!

 

Thanks for the FRST report. I am presuming it was run from a USB pen drive.

 

Let's see if the following works for you to remove the Antivirus Security Pro Malware ...

:step1:  Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it to the USB pen drive, and name it: fixlist.txt

 

start
HKLM\...\Run: [MSC] - "C:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey
HKLM-x32\...\Run: [] - [x]
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{c2c37fed-cd7d-2662-80ff-1651ebb34c7f}\   \...\???\{c2c37fed-cd7d-2662-80ff-1651ebb34c7f}\GoogleUpdate.exe"
C:\Users\RichardRice\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\ProgramData\pvqdkqkjvbllroblbxh.reg
end

Once again, run FRST64 as you did before.
When the tool opens click Yes to disclaimer.

Now, press the Fix button, just once, and wait.

 

When done, FRST produces Fixlog.txt on the USB pen drive.

 

>> Please provide the Fixlog.txt on your reply.

 

 

:step2:  If (which I doubt) the computer is still under the 'spell' of the Antivirus Security Pro Malware, look for its shortcut on your Desktop .

Next, go to Control Panel > Folder Options
Click the View tab
Select/check: Show hidden files, folders and drives
Click: Apply > OK

 

Right click on the Antivirus Security Pro icon on the Desktop
Click: Properties
Click the Shortcut tab.

In the Target box there is a path to the Antivirus Security Pro malicious file.
Take note of the name.

Browse to C:\ProgramData\, and find the Antivirus Security Pro malicious folder with the name you just noted.
Right click on the folder, and select: Rename
Rename the folder to:  xxxxxxxx_old     (xxxxxxxx = the folder name you found)

 

:step3:  When done with either step1 or step2, please restart your computer, and then perform a Full System Scan with Malwarebytes Anti-Malware:
http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

 

When removal is completed, you will see a report that opens in Notepad.

 

>> Please copy/paste the entire contents of the MBAM report in your reply


Old duck...


#3 Justsalsa

Justsalsa
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 19 October 2013 - 12:09 AM

Aaflac,

 

Thank you for your response. Fortunately I found the solution similar to yours 30 minutes before your response, but only after 3 hours of trouble shooting. I found the folder of the program (disguised as n753353d or something like that) in my Program Files and deleted it. That allowed me to update Microsoft security essentials. I ran a full system scan again, it found one item and I deleted it. After that I was able to install Malware Bytes and continued to delete a bunch of trojans.

 

What surprises me the most out of this entire process is that Microsoft Security Essentials was updated frequently, yet the scan didn't find anything this roughly 14 hours ago. It said something about the conditions being updated this afternoon.

 

Any way, thanks again for your help. I apologize for any inconvenience this may have caused. I'm just really happy to have my dads work computer running again. Please close this thread.



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:04:11 PM

Posted 19 October 2013 - 12:22 AM

Glad your father got his computer back.

 

Good luck!


Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users