Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

External Hard Drive Infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 davidolson255

davidolson255

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 02 November 2013 - 10:48 PM

I was on these forums a couple months ago and received great help with cleaning up my desktop and my laptop, however, I never got a chance to work on my Seagate Backup Plus Desktop Drive, which I use as my network storage drive (I don't backup my drives on it, I only use it on my network for data storage files (the last 10+ years of my life basically).  I finally hooked it up today and am finding that TONS of folders and files are saying Access Denied when I try to open the folders or if I try to delete the folders.  I'm currently running a full scan on the driver using Microsoft Security Essentials and SUPERAntiSpyware.  I was thinking that I might be better off begging for assistance on here since you guys took care of my issues very quickly and professional (I must add that).  Once these two scans are complete, I'll power off the drive and wait for a reply here.  I really really don't want to lose my data (I'm sure no one does), but if I can save even a little of my data, it's worth a try to me.

 

To reiterate, my drive is:  Seagate Backup Plus Desktop Drive (2 TB), connected to my desktop PC by USB.

 

My Desktop PC is:  Windows 7 Professional 32-bit Service Pack 1, Dell Inspiron 560, Pentium Dual-Core @ 3.2 GHz, 4 GB RAM

 

Thank you for any assistance you can provide!



BC AdBot (Login to Remove)

 


#2 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 03 November 2013 - 01:55 AM

Just an update from my scan:  

 

I have a service that is running a 0 byte file called wudfhost.exe with a file description of Windows Driver Foundation - User-mode Driver Framework Host Process, which I found on the Microsoft Site that says it's called Worm:Win32/Slenfbot.ALJ, I also have a file called rpcrt4.dll which says this is called Trojan:Win32/Fakemsc.A!dll.   So obviously this is now spread from my external drive to my Desktop PC.  I have no idea if there is more on here or not.

 

Also, when I try to open folders on my Desktop C: Drive, I am getting access denied and that only the user named TrustedInstaller can access the folder.  I don't get it, cause I'm using my Administrator account.  I should be able to do anything.


Edited by davidolson255, 03 November 2013 - 02:17 AM.


#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:53 AM

Posted 03 November 2013 - 04:51 AM

Try a System File Check on your files -

The 2 examples you posted are both OK file paths and you have the wrong informatiom -

 

1. Go - Start > Accessories > and find Command Prompt : Right click on it and select "Run as an administrator".

2. Once Command Prompt is open, type sfc /scannow and then press Enter.

Note: There's a space between sfc and /scannow.

3. System File Checker will now verify the integrity of every protected operating system file on your computer.

4.Restart your computer if sfc /scannow did actually repair any files.

Note: System File Checker may or may not prompt you to restart but even if it doesn't, you should restart anyway.

 

Re : Original File Name WUDFHost.exe
wudfhost.exe is a Windows Driver Foundation - User-mode Driver Framework Host Process from Microsoft Corporation belonging to Microsoft Windows Operating System.
This process is needed for the relative programme to run properly and so removal is not recommended.

 

Rerpcrt4.dll - it originates in dotnet 4.0.

 

Re : Trusted Installer - This is an extra Toolbar/Scam that you picked up with a scam download..............

 

Please download and run RKill by Grinler. A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

Important: Do not reboot your computer until you complete the next step.

 

Please download AdwCleaner by Xplode and save to your Desktop.

* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button. (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* Click on the Clean button. (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Thank You -



#4 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 03 November 2013 - 12:05 PM

# AdwCleaner v3.010 - Report created 03/11/2013 at 11:59:39
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : Dave - DAVE-PC
# Running from : C:\Users\Dave\Downloads\System Cleaner\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16720
 
 
-\\ Google Chrome v30.0.1599.101
 
[ File : C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R1].txt - [774 octets] - [03/11/2013 11:58:22]
AdwCleaner[S1].txt - [696 octets] - [03/11/2013 11:59:39]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [755 octets] ##########


#5 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:07:53 PM

Posted 03 November 2013 - 04:00 PM

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan
 
Then get the log which will be here :
 
Start > all programs > MCShield > logs > all scans

#6 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 03 November 2013 - 06:31 PM

Here is the log:

 

>>> MCShield AllScans.txt <<<
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 2.8.3.24 / DB: 2013.11.3.1 / Windows 7 <<<
 
 
11/3/2013 5:30:23 PM > Drive C: - scan started (no label ~699 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
11/3/2013 5:30:23 PM > Drive E: - scan started (Share ~1863 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 2.8.3.24 / DB: 2013.11.3.1 / Windows 7 <<<
 
 
11/3/2013 5:50:39 PM > Drive C: - scan started (no label ~699 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
 
 
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
 
>>> v 2.8.3.24 / DB: 2013.11.3.1 / Windows 7 <<<
 
 
11/3/2013 5:57:41 PM > Drive E: - scan started (Share ~1863 GB, NTFS HDD )...
 
 
 
=> The drive is clean.
 
 
 
-----------------------------------======================================--------------------------------
 
I was looking at my running services, and noticed that I have two services running that I've never seen before and couldn't find much info online, other than they appear to be associated with some game called Roblox, which I've never heard of.
 
Service Name:  AMZDUS
Description:  (blank)
Path to executable:  C:\Users\Dave\AppData\Local\Temp\AMZDUS.exe
 
Service Name:  XBCID
Description:  (blank)
Path to executable:  C:\Users\Dave\AppData\Local\Temp\XBCID.exe
 
I've disabled these both for now.  I hope maybe you are familiar with them and can instruct me on what to do with them.  I realize that nothing is really showing up in the logs for the Applications you are having me run, but I just know there is "something" here, but no idea what it is or where it is.  I'm pretty sure it's now on both my Hard Drive (C Drive) and my External Drive (E Drive).  And something is still preventing me from accessing folders on both drives.  Most of my folders are still showing up as hidden and I can't take ownership (at least not by using the traditional way).
 
 
Edit:  One new thing I'm noticing now is that my Windows Updater doesn't seem to be working correctly.  My Windows Update list is completely empty and I can't seem to install any new ones.  It says it downloaded 4 new updates, it appears to install, but after reboot...it wants to do it all over again.

Edited by davidolson255, 04 November 2013 - 01:05 AM.


#7 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 05 November 2013 - 02:21 AM

Got home from work and started seeing little improvements with my network drive, as it started allowing me to take ownership of my folders again.

About an hour later, I found a couple more new services running using my user path temp folder as their file location. Well, only minutes after that, I found that my desktop PC was hit HARD by some malware. Half of my services are now being ran from new locations and NON matching Filenames. It doesn't allow me access to kill processes, can't use task manager..says "The requested operation requires elevation". My Malwarebytes and windows essentials have been taken over. I can't uninstall any programs. My hosts file has been tampered with. Every time I tried to use Internet Explorer or Chrome..I get redirected to some French website.

I'm typing this reply from my iPhone. If there is anything that can save me or some helpful advice, please let me know. I have quite a bit of personal identification and data. I'd rather delete it then have it in the wrong hands. I've already had to redo my passwords for online accounts the past couple months. I don't want to have this keep happening.

I'm gonna disconnect my internet connection and power off everything on my network for the rest of the night, but I have a feeling that my pc at work is gonna have affects. :(

Edited by davidolson255, 05 November 2013 - 02:28 AM.


#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:53 AM

Posted 05 November 2013 - 03:27 AM

First you should have had a better (fuller) report from AdwCleaner (yours was EMPTY)
I have not seen a report like that since ..... ?

 

C:\Users\Dave\AppData\Local\"Temp"\AMZDUS.exe <= This
C:\Users\Dave\AppData\Local\"Temp"\XBCID.exe <= And This
Both have No Record in any Google search I have done ??

Roblox (about 10 years old) includes many video games that you can link via Online / iPad / iPhone etc
These are aimed at 8 to 18 year olds, and I found no link in them either -

 

As the files listed are Temp files only then run this =>

Please download Temp File Cleaner by Old Timer.
Usage Instructions:

  • Download TFC from the download link above and save the file on your desktop.
  • Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  • Double-click on the TFC icon.
  • When the program opens, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
  • When done, press OK to reboot your computer and finish the cleanup.

Thanks -



#9 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 05 November 2013 - 10:20 PM

ComboFix 13-11-04.01 - Dave 11/05/2013  22:05:47.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3293.2402 [GMT -5:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-06 to 2013-11-06  )))))))))))))))))))))))))))))))
.
.
2013-11-06 03:08 . 2013-11-06 03:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-06 02:26 . 2013-11-06 02:26 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-11-06 02:13 . 2013-10-14 03:39 7796464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5429DC0E-B6E6-4717-BD45-15842CB75797}\mpengine.dll
2013-11-06 02:01 . 2013-11-06 02:29 -------- d-----w- c:\program files\HitmanPro
2013-11-06 02:01 . 2013-11-06 02:14 -------- d-----w- c:\programdata\HitmanPro
2013-11-06 00:48 . 2013-11-06 00:48 -------- d-----w- c:\program files\Absolute Uninstaller
2013-11-05 04:52 . 2013-10-14 03:39 7796464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-04 02:35 . 2013-11-04 02:35 -------- d-----w- c:\windows\ERUNT
2013-11-03 22:30 . 2013-11-06 02:56 -------- d-----w- c:\programdata\MCShield
2013-11-03 22:30 . 2013-11-03 22:30 -------- d-----w- c:\program files\MCShield
2013-11-03 18:11 . 2013-11-03 18:11 -------- d-----w- c:\program files\Microsoft Silverlight
2013-11-03 04:19 . 2013-11-05 14:38 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-11-03 04:16 . 2013-11-05 14:30 75992 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-03 03:55 . 2013-11-03 03:55 -------- d-----w- c:\programdata\Malwarebytes
2013-11-03 03:55 . 2013-11-03 03:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-11-03 03:55 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-03 00:40 . 2013-11-03 00:40 -------- d-----w- c:\program files\Intel
2013-11-03 00:37 . 2012-05-04 09:59 514560 ----a-w- c:\windows\system32\qdvd.dll
2013-11-03 00:37 . 2012-08-24 17:05 136560 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-11-03 00:37 . 2012-08-24 16:57 247808 ----a-w- c:\windows\system32\schannel.dll
2013-11-03 00:37 . 2012-08-24 17:02 369856 ----a-w- c:\windows\system32\drivers\cng.sys
2013-11-03 00:37 . 2012-08-24 16:56 1039360 ----a-w- c:\windows\system32\lsasrv.dll
2013-11-02 23:21 . 2013-11-02 23:52 -------- d-----w- c:\program files\Common Files\InstallShield
2013-11-01 22:40 . 2013-11-01 22:40 -------- d-----w- c:\programdata\LogMeIn
2013-10-31 17:09 . 2013-11-06 01:43 -------- d-----w- c:\programdata\HP
2013-10-26 17:42 . 2013-10-26 17:42 35840 ----a-w- c:\windows\system32\COMDLG32.oca
2013-10-26 17:42 . 2013-10-26 17:42 267776 ----a-w- c:\windows\system32\mscomctl.oca
2013-10-26 02:46 . 2013-10-26 02:46 209920 ----a-w- c:\windows\system32\doControlPack.oca
2013-10-26 02:44 . 2013-11-05 02:02 -------- d-----w- c:\program files\Common Files\Adobe
2013-10-25 23:50 . 2013-08-15 22:13 348160 ----a-w- c:\windows\system32\FM20.oca
2013-10-25 00:53 . 2013-10-27 00:45 1024000 ----a-w- c:\windows\system32\doControlPack.ocx
2013-10-24 01:55 . 2005-01-02 21:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2013-10-24 01:55 . 2003-07-19 06:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2013-10-24 01:55 . 2013-10-24 01:55 -------- d-----w- c:\program files\Common Files\INCA Shared
2013-10-24 00:29 . 2013-11-02 23:52 -------- d-----w- c:\program files\InstallShield Installation Information
2013-10-24 00:29 . 2013-10-24 00:29 -------- d-----w- c:\program files\NCSOFT
2013-10-24 00:26 . 2007-04-04 22:55 261480 ----a-w- c:\windows\system32\xactengine2_7.dll
2013-10-24 00:23 . 2013-11-05 07:21 -------- d-----w- c:\program files\NCWest
2013-10-24 00:14 . 2013-10-24 00:14 -------- d-----w- c:\programdata\Oracle
2013-10-24 00:13 . 2013-10-24 00:13 -------- d-----w- c:\program files\Common Files\Java
2013-10-24 00:13 . 2013-10-24 00:13 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-24 00:13 . 2013-10-24 00:13 -------- d-----w- c:\program files\Java
2013-10-24 00:12 . 2013-10-24 00:12 -------- d-----w- c:\programdata\McAfee
2013-10-23 23:32 . 2013-10-24 00:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-10-23 23:32 . 2013-10-23 23:32 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-10-23 23:09 . 2013-10-23 23:09 604 ----a-w- c:\windows\uninstallstickies.bat
2013-10-23 23:09 . 2013-10-23 23:09 -------- d-----w- c:\program files\stickies
2013-10-23 23:07 . 2013-09-04 01:15 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-10-23 23:07 . 2013-09-04 01:14 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-10-23 23:07 . 2013-09-04 01:14 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-10-23 23:07 . 2013-09-04 01:14 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-10-23 23:07 . 2013-09-04 01:14 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2013-10-23 23:07 . 2013-09-04 01:14 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-10-23 23:07 . 2013-09-04 01:14 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-10-23 04:01 . 2013-10-23 04:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2013-10-23 03:47 . 2013-10-23 03:47 -------- d-----w- c:\program files\Web Publish
2013-10-23 03:47 . 2013-10-23 03:47 -------- d-----w- c:\windows\msapps
2013-10-23 03:45 . 2011-03-11 05:39 148864 ----a-w- c:\windows\system32\drivers\storport.sys
2013-10-23 03:45 . 2011-03-11 05:39 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2013-10-23 03:45 . 2011-03-11 05:39 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2013-10-23 03:45 . 2011-03-11 05:38 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2013-10-23 03:45 . 2011-03-11 05:38 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2013-10-23 03:45 . 2011-03-11 05:38 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2013-10-23 03:45 . 2011-03-11 05:33 1699328 ----a-w- c:\windows\system32\esent.dll
2013-10-23 03:45 . 2011-03-11 05:31 74240 ----a-w- c:\windows\system32\fsutil.exe
2013-10-23 03:44 . 2013-04-17 07:02 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-10-23 03:40 . 2013-10-23 00:01 -------- d-----w- c:\windows\Panther
2013-10-23 01:59 . 2013-10-23 01:59 -------- d-----w- c:\program files\Microsoft Synchronization Services
2013-10-23 01:58 . 2013-11-03 22:16 -------- d-----w- c:\program files\Microsoft.NET
2013-10-23 01:58 . 2013-10-23 01:58 -------- d-----w- c:\windows\PCHEALTH
2013-10-23 01:58 . 2013-10-23 01:58 -------- d-----w- c:\program files\Microsoft Sync Framework
2013-10-23 01:58 . 2013-10-23 01:58 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2013-10-23 01:57 . 2013-10-23 01:57 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2013-10-23 01:56 . 2013-10-23 01:56 -------- d-----w- c:\program files\Microsoft Analysis Services
2013-10-23 01:55 . 2013-10-23 23:16 -------- d-----w- c:\programdata\Microsoft Help
2013-10-23 01:49 . 2013-11-04 13:16 -------- d-----w- c:\program files\Google
2013-10-23 01:39 . 2013-10-23 01:39 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6FF3E42A-1708-4C82-8A1A-DCF0F6CBC1FD}\gapaengine.dll
2013-10-23 01:33 . 2013-11-06 01:43 -------- d-sh--w- c:\windows\Installer
2013-10-23 01:33 . 2013-10-23 01:33 -------- d-----w- c:\program files\Microsoft Security Client
2013-10-23 01:29 . 2013-10-23 01:29 -------- d-----w- c:\windows\system32\Wat
2013-10-23 00:59 . 2013-10-23 01:00 -------- d-----w- c:\windows\system32\MRT
2013-10-23 00:50 . 2012-07-26 03:20 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-10-23 00:50 . 2012-07-26 03:20 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-10-23 00:50 . 2012-07-26 02:33 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-10-23 00:50 . 2012-07-26 02:32 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-10-23 00:50 . 2012-07-26 03:21 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2013-10-23 00:50 . 2012-07-26 03:20 613888 ----a-w- c:\windows\system32\WUDFx.dll
2013-10-23 00:50 . 2012-07-26 03:20 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-10-23 00:49 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-10-23 00:49 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll
2013-10-23 00:49 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll
2013-10-23 00:37 . 2013-10-23 00:37 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-10-23 00:36 . 2013-10-23 00:36 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-10-23 00:35 . 2013-07-04 11:57 205824 ----a-w- c:\windows\system32\WebClnt.dll
2013-10-23 00:35 . 2013-07-04 11:51 81920 ----a-w- c:\windows\system32\davclnt.dll
2013-10-23 00:35 . 2013-07-04 09:48 115712 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2013-10-23 00:35 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2013-10-23 00:23 . 2013-02-27 05:05 101720 ----a-w- c:\windows\system32\consent.exe
2013-10-23 00:23 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\system32\authui.dll
2013-10-23 00:23 . 2013-02-27 04:49 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-10-23 00:22 . 2013-10-23 00:23 -------- d-----w- c:\program files\Sysinternals
2013-10-23 00:20 . 2013-10-23 00:20 -------- d-----w- c:\program files\WinCDEmu
2013-10-23 00:05 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll
2013-10-23 00:05 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2013-10-23 00:02 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2013-10-23 00:02 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2013-10-23 00:02 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2013-10-23 00:02 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2013-10-23 00:02 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2013-10-23 00:02 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2013-10-23 00:02 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2013-10-23 00:02 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2013-10-23 00:02 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2013-10-23 00:02 . 2013-11-06 00:47 -------- d-----w- c:\users\Dave
2013-10-23 00:01 . 2013-10-23 00:01 -------- d-----w- C:\Recovery
2013-10-22 23:32 . 2013-10-23 03:40 -------- d-----w- C:\Boot
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-10-24 5707544]
"MCShield Monitor"="c:\program files\MCShield\mcshieldrtm.exe" [2013-10-26 607232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\stickies\stickies.exe [2013-10-23 765952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 AMZDUS;AMZDUS;c:\users\Dave\AppData\Local\Temp\AMZDUS.exe [x]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-11-06 106280]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 XBCID;XBCID;c:\users\Dave\AppData\Local\Temp\XBCID.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-11-06 40776]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-06-19 107392]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-08-12 295376]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-10-23 1343400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]
S3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2011-08-08 117584]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-23 01:49 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-23 01:49]
.
2013-11-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-23 01:49]
.
2013-11-06 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 66b64581-fa06-46e2-8e27-6c7a026fbbe4.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-05-23 20:21]
.
2013-11-05 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task fb67653b-5bc0-4c2d-8352-6b07013f735e.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-05-23 20:21]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{0FE4CB0A-389F-4DE3-B732-A93102D2655D}: NameServer = 192.168.2.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-11-05  22:09:53
ComboFix-quarantined-files.txt  2013-11-06 03:09
.
Pre-Run: 659,091,992,576 bytes free
Post-Run: 659,045,101,568 bytes free
.
- - End Of File - - 90598321FC80B4AA05524DE4A900C49C
A36C5E4F47E84449FF07ED3517B43A31


#10 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 07 November 2013 - 02:30 AM

Haven't heard back about next steps, but I can see you guys are very busy right now.  I've been noticing things getting worse on my PC and occiasonally still on my external drive.  I went ahead and basically deleted just about all my data on the external drive (except pictures, videos, and some other odds and ends).

 

Since then, I noticed I have a new directory on my external drive, that contain 3 files.  Two files starting with MRT and one hidden file called $shtdwn$

 

** strange..I just went to check that directory, but now it's gone **

 

I'm constantly getting Windows Explorer crashes (C:\Windows\Explorer.exe).  Seems like it is typically when I'm looking at an "unusual" named directory/file.

 

I'm noticing file named SMSvcHost.exe has been spending a lot of time playing with files under C:\Windows\Assembly\  along with folders under there called GAC_32 and NativeImages, however, when I use Windows Explorer and go to C:\Windows\Assembly, I don't see ANY folders..just a lot of library files.  Recently noticed a folder was created called (something like) C:\$mft (NTFS Master File Table) but I'm not able to see the folder through explorer.

 

When I go into Task Manager, I am typically seeing 3 DLLHOST.exe files running, but when I hover over them or try to see their Image Path Name, Command Line (to see what they are calling) they instantly disappear on me.  :(

 

Well, thats about the latest of the issues so far.  I'm kinda tempted to go back to the starting point of your instructions for me, as I think we had made progress, but too much time has passed and it has spread again.  I'm about 50% my MalwareBytes files are corrupt and my Microsoft Security Essentials has NEVER found any threats.  Let me know if you think I should uninstall and reinstall anything.

 

oh..last thing.  I ran ESET Online Scanner this evening and it found two threats:

 

C:\System Volume Information\_restore{9CEBAF70-245A-464B-B6EB-4D2E74A2F12A}\RP42\A0009923.exe probably a variant of Win32/CNETInstaller.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{9CEBAF70-245A-464B-B6EB-4D2E74A2F12A}\RP42\A0009949.exe Win32/InstallMonetizer.AN application cleaned by deleting - quarantined


#11 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 07 November 2013 - 06:13 PM

hey noknojon...I know we are on opposite time zones and there are many others that need assistance, but am hoping for an update from you.  I'm starting to prepare myself for a format and OS reinstall on my PC.  It just drives me crazy when I try to use it or attempt to clean it.  Yes, it will suck to lose data, but, according to my wife, the only important files are the photos on the external drive, which I'm not touching until I know my desktop PC is working properly.  I think the external drive is clean of malware now anyways.  It seems to prefer hanging out on my PC.  It would be great to have some new instructions waiting for me after I complete the format/OS work.

 

Thank you!  Have good day!



#12 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 PM

Posted 07 November 2013 - 10:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/512748 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#13 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 09 November 2013 - 02:03 AM

Yes I still need help!

I made a USB bootable flash drive with win 7 32bit OS installers on it. I formatted my hard drive and reinstalled windows. I went to sleep after updating windows updates and AV setup. After a couple hours sleep, I went to work. Around lunch time, my wife called me to say that the wifi in our house stopped working. After I got home, I noticed that the routers wifi was working just fine, but the router couldn't get Internet connection.

I used my PC to log into the router to check logs. I noticed that the date and time got reset back to Dec 1, 2007. After changing it to the correct date and time, I noticed there were some website addresses setup for the router to sync time. Using my iPhone, I checked 1 of the 3, but it looked WAY off. I'll paste it here for your confirm on the safety:

http://ntp.actiontec.com/

I'm trying not to write a book here, so:

My internet browsers have redirects and don't allow me to make any changes, even when logged on as my admin user. I got very frustrated that I got the virus back yet again, that I stated disabling all the services. Yes I know that I wasn't helping but didn't want to let the virus win. Then I remembered that I had downloaded quite a few rootkit removers on another flash drive, so I copied them all to my hard drive. I started with the malwarebytes rootkit remover. It didn't run very long before my PC locked up. After restarting my PC, I got BOOTMGR not found. I used my bootable USB and was able to repair it.

Next, I grabbed my phone to try and find someone to help me with this. That's when I came across these application logs. I have a lot of log files from 2013-11-02 to today on my phone. It looks to be rootkit crashing my apps. It shows very detailed threads in the logs, but I don't know how to begin to do something on my phone. I took some screen shots of the logs. Let me know if I should post them.

Back to my PC. I can log into windows now, but my user account and admin account are very restricted. I get access denied for most folders. I try to take ownership, but they are mostly all owned by TrustedInstaller account (whatever that is). When I try to edit permissions it says "can't open access control editor". Most likely because I disabled tons of services, but everything else is grayed out anyways, like read only and hidden. It doesn't allow me to execute any file with the extension of .exe. I'm gonna try to restart in safe mode and see if I get more permissions.

Please don't give up on me. I need direction!

#14 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 09 November 2013 - 03:07 PM

I did some research this morning on the strange settings on my router. This site has a PDF that contains information on vulnerabilities with quite a few routers, including mine. Can someone confirm the integrity of this site/company? The info on my router starts on page 6. If this is valid, then I think I need router assistance also. Not sure if I should format my hard drive again and/or try to upgrade firmware on router? Which to do first? Plus I still need to clean up that external drive. Blah

http://securityevaluators.com/content/case-studies/routers/Vulnerability_Catalog.pdf

My router: Actiontec MI424WR
ISP: Verizon FiOS

#15 davidolson255

davidolson255
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:53 PM

Posted 11 November 2013 - 06:11 AM

Still having problems here.  I feel like I'm right back where I started.  My monitor goes black for a couple seconds quite often or at least it does when I'm trying to find info on this virus.  I've noticed that the registry for the my devices on my computer have all been altered and now contain information regarding some type of peer to peer network settings.  I don't have much installed on my computer, so I think I can produce some simple logs.  At the moment, I have Microsoft Essentials, Malware Bytes, SuperAntiSpyWare and RUBotted (from Malwarebytes).

 

Please let me know what you want me to try running.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users