Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with removing virus


  • This topic is locked This topic is locked
5 replies to this topic

#1 webinfoguy25

webinfoguy25

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 26 October 2013 - 09:37 PM

Hello I ran Combofix yesterday because I think I have some sort of virus.  Can someone help me?  Should I run Combofix again and copy and paste the log results here?  Also does anyone know if this directory(C:\Windows\SysWOW64) is normal for windows 7?

 

Thanks,

 



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:51 AM

Posted 27 October 2013 - 12:35 PM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 
Please post the log created by ComboFix.  It should be located at C:\ComboFix.txt.
 

=============================
 

Please download DDS from either of these links
 
LINK 1
LINK 2
 
and save it to your desktop.

  • Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:
 
DDS.txt
 
Attach.txt
----------
 

weVCzW0.jpg Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan but do nothing else as we are just looking for what is there.
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------
 

81mYIKe.jpgAdwCleaner
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 webinfoguy25

webinfoguy25
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 27 October 2013 - 02:30 PM

ComboFix 13-10-24.01 -  10/25/2013  12:33:53.1.2 - x64
Microsoft Windows 7 Home Premium   [GMT -5:00]
Running from: c:\users\webinfoguy\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\webinfoguy\AppData\Local\assembly\tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-25 to 2013-10-25  )))))))))))))))))))))))))))))))
.
.
2013-10-25 17:40 . 2013-10-25 17:40    --------    d-----w-    c:\users\MSSQL$ADK\AppData\Local\temp
2013-10-25 17:40 . 2013-10-25 17:40    --------    d-----w-    c:\users\webinfoguy\AppData\Local\temp
2013-10-25 17:40 . 2013-10-25 17:40    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-10-25 11:54 . 2013-10-25 11:54    --------    d-----w-    c:\users\webinfoguy\AppData\Roaming\Thunderbird
2013-10-25 11:54 . 2013-10-25 11:54    --------    d-----w-    c:\users\webinfoguy\AppData\Local\Thunderbird
2013-10-25 11:54 . 2013-10-25 11:54    --------    d-----w-    c:\program files (x86)\Mozilla Thunderbird
2013-10-23 17:56 . 2013-10-23 17:56    --------    d-----w-    c:\program files (x86)\Common Files\Software Update Utility
2013-10-11 22:58 . 2013-10-12 00:39    --------    d-----w-    c:\users\webinfoguy\.ScreamingFrogSEOSpider
2013-10-11 20:30 . 2013-10-11 20:30    --------    d-----w-    c:\programdata\Oracle
2013-10-11 20:30 . 2013-10-11 20:30    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-10-11 20:29 . 2013-10-11 20:29    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-11 20:29 . 2013-10-11 20:29    --------    d-----w-    c:\program files (x86)\Java
2013-10-11 19:27 . 2013-10-11 19:27    --------    d-----w-    c:\program files (x86)\Screaming Frog SEO Spider
2013-10-11 16:20 . 2013-10-11 16:20    --------    d-----w-    c:\users\webinfoguy\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2013-10-11 16:14 . 2013-10-11 16:14    --------    d-----r-    c:\users\webinfoguy\Creative Cloud Files
2013-10-11 15:22 . 2013-10-11 15:22    --------    d-----w-    c:\programdata\ALM
2013-10-11 15:21 . 2013-10-11 15:21    --------    d-----w-    c:\program files\Adobe
2013-10-10 00:12 . 2013-10-10 00:12    --------    d-----w-    c:\users\Guest
2013-10-09 02:42 . 2013-10-09 02:42    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-09 02:42 . 2013-10-09 02:42    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-10-08 05:17 . 2013-10-09 02:10    --------    d-----w-    c:\users\webinfoguy\AppData\Local\Bing Ads Intelligence
2013-10-08 05:17 . 2013-10-25 17:40    --------    d-----w-    c:\users\webinfoguy\AppData\Local\assembly
2013-10-05 15:04 . 2013-10-05 15:04    --------    d-----w-    c:\users\webinfoguy\test
2013-10-02 23:14 . 2013-10-02 23:14    2560    ----a-w-    c:\windows\_MSRSTRT.EXE
2013-09-25 23:46 . 2013-09-26 01:30    --------    d-----w-    c:\program files (x86)\WinMerge
2013-09-25 23:18 . 2013-09-25 23:19    --------    d-----w-    c:\users\webinfoguy\AppData\Roaming\UBot Studio
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-11 20:29 . 2013-08-02 00:06    868264    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-10-11 20:29 . 2013-08-02 00:06    790440    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-08-27 17:42 . 2013-09-20 03:24    358480    ----a-w-    c:\windows\SysWow64\vmnetdhcp.exe
2013-08-27 17:42 . 2013-09-20 03:24    30800    ----a-w-    c:\windows\system32\drivers\vmnetuserif.sys
2013-08-27 17:42 . 2013-09-20 03:23    930384    ----a-w-    c:\windows\system32\vnetlib64.dll
2013-08-27 17:42 . 2013-09-20 03:24    64080    ----a-w-    c:\windows\system32\drivers\vmx86.sys
2013-08-27 17:42 . 2013-09-20 03:24    437328    ----a-w-    c:\windows\SysWow64\vmnat.exe
2013-08-27 17:42 . 2013-08-27 17:42    80464    ----a-w-    c:\windows\system32\vmnetbridge.dll
2013-08-27 17:42 . 2013-08-27 17:42    49232    ----a-w-    c:\windows\system32\vnetinst.dll
2013-08-27 17:42 . 2013-08-27 17:42    46160    ----a-w-    c:\windows\system32\drivers\vmnetbridge.sys
2013-08-27 17:42 . 2013-08-27 17:42    24656    ----a-w-    c:\windows\system32\drivers\vmnet.sys
2013-08-27 17:42 . 2013-08-27 17:42    20560    ----a-w-    c:\windows\system32\drivers\vmnetadapter.sys
2013-08-27 17:41 . 2013-09-20 03:24    32848    ----a-w-    c:\windows\system32\drivers\VMkbd.sys
2013-08-27 04:33 . 2013-09-20 03:23    53816    ----a-w-    c:\windows\system32\drivers\hcmon.sys
2013-08-27 04:33 . 2013-09-20 03:23    38456    ----a-w-    c:\windows\system32\drivers\vmusb.sys
2013-08-15 23:25 . 2013-09-20 03:24    67664    ----a-w-    c:\windows\system32\vsocklib.dll
2013-08-15 23:25 . 2013-09-20 03:24    63568    ----a-w-    c:\windows\SysWow64\vsocklib.dll
2013-08-15 23:25 . 2013-09-20 03:24    73296    ----a-w-    c:\windows\system32\drivers\vsock.sys
2013-08-15 23:25 . 2013-08-15 23:25    85584    ----a-w-    c:\windows\system32\drivers\vmci.sys
2013-08-01 05:12 . 2013-08-01 05:12    737072    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2013-08-01 05:11 . 2013-08-01 05:11    2876528    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2013-08-01 05:09 . 2013-08-01 05:09    42776    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2013-08-01 05:09 . 2013-08-01 05:09    539984    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM for Windows"="c:\users\webinfoguy\AppData\Local\AOL\AIM\aim.exe" [2013-09-09 1074216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"Adobe Creative Cloud"="c:\program files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" [2013-09-03 2237328]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 SQLAgent$ADK;SQL Server Agent (ADK);c:\program files (x86)\Microsoft SQL Server\MSSQL11.ADK\MSSQL\Binn\SQLAGENT.EXE;c:\program files (x86)\Microsoft SQL Server\MSSQL11.ADK\MSSQL\Binn\SQLAGENT.EXE [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\windows\SYSNATIVE\DRIVERS\vmci.sys [x]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys;c:\windows\SYSNATIVE\drivers\vsock.sys [x]
S2 MSSQL$ADK;SQL Server (ADK);c:\program files (x86)\Microsoft SQL Server\MSSQL11.ADK\MSSQL\Binn\sqlservr.exe;c:\program files (x86)\Microsoft SQL Server\MSSQL11.ADK\MSSQL\Binn\sqlservr.exe [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-18 00:19    1185744    ----a-w-    c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-08-01 00:55]
.
2013-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-08-01 00:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco1]
@="{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}"
[HKEY_CLASSES_ROOT\CLSID\{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}]
2013-08-30 15:01    3358064    ----a-w-    c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_v_1_1_0_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco2]
@="{853B7E05-C47D-4985-909A-D0DC5C6D7303}"
[HKEY_CLASSES_ROOT\CLSID\{853B7E05-C47D-4985-909A-D0DC5C6D7303}]
2013-08-30 15:01    3358064    ----a-w-    c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_v_1_1_0_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco3]
@="{42D38F2E-98E9-4382-B546-E24E4D6D04BB}"
[HKEY_CLASSES_ROOT\CLSID\{42D38F2E-98E9-4382-B546-E24E4D6D04BB}]
2013-08-30 15:01    3358064    ----a-w-    c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_v_1_1_0_x64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-06-13 472984]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: %windir%\system32\vsocklib.dll
TCP: DhcpNameServer = removedforsecuritywebinfoguy
FF - ProfilePath - c:\users\webinfoguy\AppData\Roaming\Mozilla\Firefox\Profiles\wvzacnq6.default-1380948248035\
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Pinger - c:\program files (x86)\Pinger\Pinger.exe
Wow6432Node-HKCU-Run-EasyPHP - c:\program files (x86)\EasyPHP-DevServer-13.1VC9\EasyPHP-DevServer-13.1VC9.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-10-25  12:43:12
ComboFix-quarantined-files.txt  2013-10-25 17:43
.
Pre-Run: 221,837,197,312 bytes free
Post-Run: 222,430,932,992 bytes free
.
- - End Of File - - A73FAD466D795116E99C28B7EB0EF308
A36C5E4F47E84449FF07ED3517B43A31
 



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:51 AM

Posted 27 October 2013 - 06:16 PM

Great!  When you get the other tools ran be sure to post those logs as well too.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:51 AM

Posted 29 October 2013 - 08:59 PM

Still with me?


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:51 AM

Posted 30 October 2013 - 06:27 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users