Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 won't boot - possible infection


  • This topic is locked This topic is locked
24 replies to this topic

#1 jmiller07

jmiller07

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 06 November 2013 - 11:50 PM

Hi,

My desktop running Windows 7 64 bit Home edition shut down in mid use and now won't boot (in normal or safe mode).  As soon as I get past the BIOS boot menu, I just get a flashing cursor.

 

Here's what I've done so far:

- Booted from Windows 7 system repair disc (I can't find Windows 7 install disc).  Startup repair found no issues.

 

- Booted from Hiren's Boot CD 15.2:

  - Backed up files.

  - Ran chkdsk.  Hard drive is fine

  - Ran MBAM:  Found two PUP exe's, that's all.

 

I have searched the web for my next steps, and honestly am a bit overwhelmed.  Between rootkit detectors/removers, MBR scanners/fixers, windows 7 repair, I'm just not sure what my next step should be, so I'm seeking some help.

 

I read the preparation guide before starting this new post.  I did not run DDS, as requested, as I figured it didn't make sense given that I can only use my PC from a live CD OS anyway.

 

Thanks in advance for any help,

-Josh



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 07 November 2013 - 04:59 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 jmiller07

jmiller07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 07 November 2013 - 10:36 AM

Hi, Marius.  Thank you for your help.

 

Here are the results from the FRST64 scan:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-10-2013
Ran by SYSTEM on MININT-O834I81 on 07-11-2013 09:45:14
Running from G:\
WIN_7 Service Pack 1 (X64) OS Language: English(US)
Boot Mode: Recovery
Attention: Could not load system hive.
==================== Registry (Whitelisted) ==================
 
ATTENTION: Software hive is not loaded.
 
Startup: C:\Users\Heather\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JL Alpine Advent Calendar.lnk
ShortcutTarget: JL Alpine Advent Calendar.lnk -> C:\Program Files (x86)\JL Alpine Advent Calendar\JL Alpine Advent Calendar.exe ()
Startup: C:\Users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk -> C:\Program Files\HP\HP Officejet Pro 8600\bin\HPStatusBL.dll (Hewlett-Packard Co.)
 
==================== Services (Whitelisted) =================
 
 
==================== Drivers (Whitelisted) ====================
 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-11-07 09:44 - 2013-11-07 09:44 - 00000000 ____D C:\FRST
2013-10-23 09:56 - 2013-10-23 10:07 - 00000000 _____ C:\Windows\Clifford.mtx
2013-10-23 07:59 - 2013-10-23 07:59 - 00001985 _____ C:\Users\Public\Desktop\Bob the Builder.lnk
2013-10-23 07:59 - 2013-10-23 07:59 - 00000000 ____D C:\Program Files (x86)\directx
2013-10-23 07:59 - 2000-06-23 10:06 - 00192000 _____ (Ligos Corporation) C:\Windows\SysWOW64\iac278c7.rra
2013-10-23 07:59 - 2000-06-23 06:36 - 00745984 _____ (Ligos Corporation) C:\Windows\SysWOW64\ir507953.rra
2013-10-23 07:59 - 2000-05-17 13:59 - 01062704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Mscomctl.ocx
2013-10-23 07:59 - 2000-05-17 13:59 - 00198640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Mci32.ocx
2013-10-23 07:59 - 2000-05-17 13:59 - 00040448 _____ C:\Windows\SysWOW64\regobj.dll
2013-10-23 07:58 - 2013-10-23 07:58 - 00000000 ____D C:\Program Files (x86)\THQ
2013-10-16 07:26 - 2013-10-16 07:27 - 00000091 _____ C:\Windows\CBP.INI
2013-10-16 07:26 - 2013-10-16 07:26 - 00001276 _____ C:\Users\UpdatusUser\Desktop\Clifford Thinking Adventures.lnk
2013-10-16 07:26 - 2013-10-16 07:26 - 00001276 _____ C:\Users\Josh\Desktop\Clifford Thinking Adventures.lnk
2013-10-16 07:26 - 2013-10-16 07:26 - 00001276 _____ C:\Users\Heather\Desktop\Clifford Thinking Adventures.lnk
2013-10-16 06:43 - 2013-10-16 07:26 - 00069632 _____ C:\Windows\SysWOW64\Clifford Uninstall.exe
2013-10-16 06:43 - 2013-10-16 06:43 - 00001254 _____ C:\Users\UpdatusUser\Desktop\Clifford Reading.lnk
2013-10-16 06:43 - 2013-10-16 06:43 - 00001254 _____ C:\Users\Josh\Desktop\Clifford Reading.lnk
2013-10-16 06:43 - 2013-10-16 06:43 - 00001254 _____ C:\Users\Heather\Desktop\Clifford Reading.lnk
2013-10-16 06:43 - 2013-10-16 06:43 - 00000097 _____ C:\Windows\CR.ini
2013-10-16 06:42 - 2013-10-16 07:26 - 00000000 ____D C:\Program Files\Scholastic's Clifford
2013-10-13 18:43 - 2013-10-13 18:44 - 00000000 ____D C:\Users\Josh\AppData\Local\{1AF3432E-6724-4DA8-824F-57DE10236D3A}
2013-10-09 23:08 - 2013-09-22 15:28 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-10-09 23:08 - 2013-09-22 15:28 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-10-09 23:08 - 2013-09-22 15:27 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-10-09 23:08 - 2013-09-22 14:55 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-10-09 23:08 - 2013-09-22 14:55 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-10-09 23:08 - 2013-09-22 14:55 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-10-09 23:08 - 2013-09-22 14:54 - 19252224 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 02647552 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-10-09 23:08 - 2013-09-22 14:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-10-09 23:08 - 2013-09-20 19:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-10-09 23:08 - 2013-09-20 19:30 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-10-09 23:08 - 2013-09-20 18:48 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-10-09 23:08 - 2013-09-20 18:39 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-10-09 21:33 - 2013-09-13 17:10 - 00497152 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2013-10-09 21:33 - 2013-09-07 18:30 - 01903552 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-10-09 21:33 - 2013-09-07 18:27 - 00327168 _____ (Microsoft Corporation) C:\Windows\System32\mswsock.dll
2013-10-09 21:33 - 2013-09-07 18:03 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2013-10-09 21:33 - 2013-08-28 18:17 - 05549504 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-10-09 21:33 - 2013-08-28 18:16 - 01732032 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2013-10-09 21:33 - 2013-08-28 18:16 - 00859648 _____ (Microsoft Corporation) C:\Windows\System32\tdh.dll
2013-10-09 21:33 - 2013-08-28 18:16 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll
2013-10-09 21:33 - 2013-08-28 18:13 - 00878080 _____ (Microsoft Corporation) C:\Windows\System32\advapi32.dll
2013-10-09 21:33 - 2013-08-28 17:51 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-10-09 21:33 - 2013-08-28 17:51 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-10-09 21:33 - 2013-08-28 17:50 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-10-09 21:33 - 2013-08-28 17:50 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2013-10-09 21:33 - 2013-08-28 17:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-10-09 21:33 - 2013-08-28 17:48 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2013-10-09 21:33 - 2013-08-28 16:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-10-09 21:33 - 2013-08-28 16:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-10-09 21:33 - 2013-08-28 16:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-10-09 21:33 - 2013-08-28 16:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-10-09 21:33 - 2013-08-27 17:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-10-09 21:33 - 2013-08-27 17:12 - 00461312 _____ (Microsoft Corporation) C:\Windows\System32\scavengeui.dll
2013-10-09 21:33 - 2013-08-01 04:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-10-09 21:33 - 2013-07-20 02:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2013-10-09 21:33 - 2013-07-20 02:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2013-10-09 21:33 - 2013-07-12 02:41 - 00185344 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbvideo.sys
2013-10-09 21:33 - 2013-07-12 02:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbcir.sys
2013-10-09 21:33 - 2013-07-12 02:40 - 00109824 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\USBAUDIO.sys
2013-10-09 21:33 - 2013-07-04 04:57 - 00259584 _____ (Microsoft Corporation) C:\Windows\System32\WebClnt.dll
2013-10-09 21:33 - 2013-07-04 04:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\System32\comctl32.dll
2013-10-09 21:33 - 2013-07-04 04:50 - 00102400 _____ (Microsoft Corporation) C:\Windows\System32\davclnt.dll
2013-10-09 21:33 - 2013-07-04 03:57 - 00205824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll
2013-10-09 21:33 - 2013-07-04 03:51 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll
2013-10-09 21:33 - 2013-07-04 03:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2013-10-09 21:33 - 2013-07-04 02:11 - 00140800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxdav.sys
2013-10-09 21:33 - 2013-07-02 20:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidclass.sys
2013-10-09 21:33 - 2013-07-02 20:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidparse.sys
2013-10-09 21:33 - 2013-06-25 14:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2013-10-09 21:33 - 2013-06-05 21:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\System32\lpk.dll
2013-10-09 21:33 - 2013-06-05 21:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\System32\fontsub.dll
2013-10-09 21:33 - 2013-06-05 21:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\System32\dciman32.dll
2013-10-09 21:33 - 2013-06-05 21:47 - 00046080 _____ (Adobe Systems) C:\Windows\System32\atmlib.dll
2013-10-09 21:33 - 2013-06-05 20:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2013-10-09 21:33 - 2013-06-05 20:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2013-10-09 21:33 - 2013-06-05 20:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2013-10-09 21:33 - 2013-06-05 19:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2013-10-09 21:33 - 2013-06-05 19:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-10-09 21:33 - 2013-06-05 19:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
 
==================== One Month Modified Files and Folders =======
 
2013-11-07 09:44 - 2013-11-07 09:44 - 00000000 ____D C:\FRST
2013-10-29 20:06 - 2012-02-24 05:08 - 00000000 ____D C:\Users\Heather\AppData\Roaming\SoftGrid Client
2013-10-29 20:06 - 2011-04-22 20:02 - 00000000 ____D C:\users\Heather
2013-10-29 20:06 - 2011-04-22 18:35 - 00000000 ____D C:\users\Josh
2013-10-29 20:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sysprep
2013-10-29 20:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-10-29 20:06 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-10-26 11:00 - 2011-02-26 17:22 - 01317436 _____ C:\Windows\WindowsUpdate.log
2013-10-26 10:37 - 2013-05-04 05:36 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-26 00:37 - 2013-05-04 05:36 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-24 16:43 - 2011-02-26 17:26 - 00000000 ____D C:\ProgramData\NVIDIA
2013-10-23 10:57 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-23 10:57 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-23 10:50 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-23 10:50 - 2009-07-13 20:51 - 00063331 _____ C:\Windows\setupact.log
2013-10-23 10:07 - 2013-10-23 09:56 - 00000000 _____ C:\Windows\Clifford.mtx
2013-10-23 10:04 - 2011-04-22 20:02 - 00000000 ____D C:\Users\Heather\AppData\Local\VirtualStore
2013-10-23 08:02 - 2012-12-03 18:04 - 00000000 ____D C:\Users\Heather\AppData\Roaming\JLAdventCalendarAlpine2012
2013-10-23 07:59 - 2013-10-23 07:59 - 00001985 _____ C:\Users\Public\Desktop\Bob the Builder.lnk
2013-10-23 07:59 - 2013-10-23 07:59 - 00000000 ____D C:\Program Files (x86)\directx
2013-10-23 07:59 - 2011-02-26 17:33 - 00000803 _____ C:\Windows\DirectX.log
2013-10-23 07:58 - 2013-10-23 07:58 - 00000000 ____D C:\Program Files (x86)\THQ
2013-10-23 07:58 - 2010-11-01 02:56 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-10-18 02:39 - 2013-05-04 05:36 - 00002190 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-17 10:42 - 2012-06-16 13:58 - 00000000 ____D C:\Users\Heather\Desktop\Recipes
2013-10-16 07:27 - 2013-10-16 07:26 - 00000091 _____ C:\Windows\CBP.INI
2013-10-16 07:26 - 2013-10-16 07:26 - 00001276 _____ C:\Users\UpdatusUser\Desktop\Clifford Thinking Adventures.lnk
2013-10-16 07:26 - 2013-10-16 07:26 - 00001276 _____ C:\Users\Josh\Desktop\Clifford Thinking Adventures.lnk
2013-10-16 07:26 - 2013-10-16 07:26 - 00001276 _____ C:\Users\Heather\Desktop\Clifford Thinking Adventures.lnk
2013-10-16 07:26 - 2013-10-16 06:43 - 00069632 _____ C:\Windows\SysWOW64\Clifford Uninstall.exe
2013-10-16 07:26 - 2013-10-16 06:42 - 00000000 ____D C:\Program Files\Scholastic's Clifford
2013-10-16 06:43 - 2013-10-16 06:43 - 00001254 _____ C:\Users\UpdatusUser\Desktop\Clifford Reading.lnk
2013-10-16 06:43 - 2013-10-16 06:43 - 00001254 _____ C:\Users\Josh\Desktop\Clifford Reading.lnk
2013-10-16 06:43 - 2013-10-16 06:43 - 00001254 _____ C:\Users\Heather\Desktop\Clifford Reading.lnk
2013-10-16 06:43 - 2013-10-16 06:43 - 00000097 _____ C:\Windows\CR.ini
2013-10-15 23:01 - 2012-04-30 23:01 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-10-15 23:01 - 2011-08-07 04:16 - 00001945 _____ C:\Windows\epplauncher.mif
2013-10-15 23:01 - 2011-04-23 19:10 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-10-13 18:44 - 2013-10-13 18:43 - 00000000 ____D C:\Users\Josh\AppData\Local\{1AF3432E-6724-4DA8-824F-57DE10236D3A}
2013-10-11 00:32 - 2013-05-04 05:36 - 00003890 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-11 00:32 - 2013-05-04 05:36 - 00003638 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-10 00:04 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2013-10-09 23:32 - 2009-07-13 21:13 - 00727334 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-09 23:26 - 2013-03-13 23:01 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-09 23:26 - 2013-03-13 23:01 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-09 23:26 - 2009-07-13 20:45 - 00277608 _____ C:\Windows\System32\FNTCACHE.DAT
2013-10-09 23:24 - 2012-08-06 16:11 - 00000000 ____D C:\Users\Heather\AppData\Roaming\Skype
2013-10-09 23:05 - 2013-08-14 23:02 - 00000000 ____D C:\Windows\System32\MRT
2013-10-09 23:03 - 2011-04-22 19:40 - 80541720 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2919400796-1230760011-3163320407-1001\$1f36550e5bbdfca8061ba7983cc32323
 
Files to move or delete:
====================
C:\Users\Josh\AppData\Roaming\cache.ini
C:\Users\Josh\AppData\Roaming\skype.ini
C:\ProgramData\wavav0bdtzbtb43b.bat
C:\ProgramData\wavav0bdtzbtb43b.reg
 
 
Some content of TEMP:
====================
C:\Users\Heather\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih.exe
C:\Users\Heather\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Josh\AppData\Local\Temp\14937uninstall.exe
C:\Users\Josh\AppData\Local\Temp\APNStub.exe
C:\Users\Josh\AppData\Local\Temp\autnfjds.dll
C:\Users\Josh\AppData\Local\Temp\COMAP.EXE
C:\Users\Josh\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Josh\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Josh\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\Josh\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\Josh\AppData\Local\Temp\mpegc.dll
C:\Users\Josh\AppData\Local\Temp\MSN9500.exe
C:\Users\Josh\AppData\Local\Temp\ppc9hnnt.dll
C:\Users\Josh\AppData\Local\Temp\Runner.exe
C:\Users\Josh\AppData\Local\Temp\SkypeSetup.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe:  <===== ATTENTION!
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!
 
==================== Restore Points  =========================
 
6
Restore point made on: 2013-10-13 03:04:58
Restore point made on: 2013-10-15 23:00:22
Restore point made on: 2013-10-18 23:12:09
Restore point made on: 2013-10-22 23:11:53
Restore point made on: 2013-10-23 07:58:53
Restore point made on: 2013-10-26 11:00:37
 
==================== Memory info =========================== 
 
Percentage of memory in use: 9%
Total physical RAM: 8174.04 MB
Available physical RAM: 7412.88 MB
Total Pagefile: 8172.23 MB
Available Pagefile: 7436.72 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
 
==================== Drives ================================
 
Drive c: (Gateway) (Fixed) (Total:1380.17 GB) (Free:983.36 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:17 GB) (Free:4.88 GB) NTFS
Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
Drive g: () (Removable) (Total:14.45 GB) (Free:14.45 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (ATTENTION: ===> MBR IS INFECTED. Use FixMbr command in Recovery Mode) (Size: 1397 GB) (Disk ID: 4B2947AA)
Partition 1: (Not Active) - (Size=17 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=-717081911296) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 14 GB) (Disk ID: 04DD5721)
Partition 1: (Active) - (Size=14 GB) - (Type=0C)
 
 
LastRegBack: 2013-10-20 20:04
 
==================== End Of Log ============================


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 08 November 2013 - 02:20 AM

uh oh...


Fix with FRST (Recovery Environment)
  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    C:\$Recycle.Bin\S-1-5-21-2919400796-1230760011-3163320407-1001\$1f36550e5bbdfca8061ba7983cc3
    C:\Users\Josh\AppData\Roaming\cache.ini
    C:\Users\Josh\AppData\Roaming\skype.ini
    C:\ProgramData\wavav0bdtzbtb43b.bat
    C:\ProgramData\wavav0bdtzbtb43b.reg

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Reboot and try to boot into windwos. If it fails again, use system restore to reset your system to a point before the error occured.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 jmiller07

jmiller07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 08 November 2013 - 07:50 AM

Reboot into Windows was unsuccessful with the same symptoms as before (just blinking cursor).  Question: doesn't any fix have to involve the MBR?

 

Tried to use system restore.  I didn't mention in my first post, but I had previously used system restore when first trying to fix using the system repair disc.  It said it restored OK, but didn't resolve the problem.  This time, I chose a restore point earlier than I had last time (and also earlier then when my wife installed some "Bob the Builder" game for our son, which I suspect might be what opened the door for the malware).  This time, system restore failed with the following error:

 

rstrui.exe  Application Error

The instruction at 0xfb5e584d referenced memory at

ox00000008.  The memory could not be read.

 

Here is the fix log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-10-2013
Ran by SYSTEM at 2013-11-08 08:32:49 Run:1
Running from G:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
C:\$Recycle.Bin\S-1-5-21-2919400796-1230760011-3163320407-1001\$1f36550e5bbdfca8061ba7983cc3
C:\Users\Josh\AppData\Roaming\cache.ini
C:\Users\Josh\AppData\Roaming\skype.ini
C:\ProgramData\wavav0bdtzbtb43b.bat
C:\ProgramData\wavav0bdtzbtb43b.reg
*****************
 
"C:\$Recycle.Bin\S-1-5-21-2919400796-1230760011-3163320407-1001\$1f36550e5bbdfca8061ba7983cc3" => File/Directory not found.
C:\Users\Josh\AppData\Roaming\cache.ini => Moved successfully.
C:\Users\Josh\AppData\Roaming\skype.ini => Moved successfully.
C:\ProgramData\wavav0bdtzbtb43b.bat => Moved successfully.
C:\ProgramData\wavav0bdtzbtb43b.reg => Moved successfully.
 
==== End of Fixlog ====


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 08 November 2013 - 07:57 AM

System File Check (offline mode)

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Select Command Prompt
  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your system drive letter and system path (for example, D:\windows\) and close the notepad.
  • enter the following command:


sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


Replace the red and pink parts with the informations you obtained from the last step of this tutorial.

Note: Depending on how your computer is setup, the Command Prompt, when used from outside of Windows, doesn't always assign drive letters in the same way that you see them from inside Windows. In other words, Windows might be at C:\Windows when you're using it, but D:\Windows from the Command Prompt in System Recovery Options.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 jmiller07

jmiller07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 08 November 2013 - 01:14 PM

System File Checker results:

 

Windows Resource Protection did not find any integrity violations.



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 11 November 2013 - 03:11 AM

are you able to boot into one of the safe modes?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 jmiller07

jmiller07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 11 November 2013 - 08:02 AM

are you able to boot into one of the safe modes?

 

No, I can't get that far.  After I get past the BIOS screen (where I can choose a boot device or enter BIOS setup), I immediately go to a blank screen and go no further.  Holding down F8 does nothing.



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 11 November 2013 - 08:15 AM

Kaspersky Windows Unlocker

  • Download Kaspersky Rescue Disk (iso)
  • Burn it to a cd or dvd, if you need a program to burn an ISO...use Active@ ISO Burner
  • Configure your computer to boot from CD/DVD
  • Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here
  • Once you have the cd/DVD created, boot the computer up using it
  • Press any key to enter the menu
  • Select your language
  • Press 1 to accept the End User License Agreement
  • Select Kaspersky Rescue Disk. Graphic Mode
  • Click on the Start button located in the left bottom corner of the screen
  • Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Metropolitan Police Virus Note: If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter

krd5.jpg


  • When it's done, click on the Start button and start Kaspersky Rescue Disk utility
  • Click on My Update Center tab and press Start to download the latest update
  • Next, select the Object Scan tab
  • Put a check next to C:\ and any other local drives
  • Then click Start Objects Scan
  • Quarantine any malware found
  • Restart your computer and see if it boots up normally.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 jmiller07

jmiller07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 11 November 2013 - 06:47 PM

Well, seems like some progress was made, but the computer still will not boot.  Now, instead of just a blinking cursor, I get the message "Missing operating system".

 

Here's a recap of what happened:

 

Kapersky WindowsUnlocker

Completed with the following being the one message of interest;

"Userinit" - suspicious modification: userinit.exe,
Userinit - was restored to userinit.exe
 

 

 

Kapersky Rescue disk
Found many Trojans, Exploits, Rootkits, etc.  You didn't specifically request it, but I saved a log.  It is pasted below.  Several items could not be "quarantined", so "delete" seemed the best (recommended) option.  Looking at the log, some things say "postponed" for an action.  Not sure what that means.
 
Here's the log:
Objects Scan: completed 2 minutes ago   (events: 184, objects: 1397658, time: 05:24:14)
11/11/13 2:03 PM Task started
11/11/13 2:04 PM Detected: Rootkit.Boot.Harbinger.a /dev/sda
11/11/13 2:04 PM Untreated: Rootkit.Boot.Harbinger.a /dev/sda Postponed
11/11/13 2:04 PM Detected: Rootkit.Boot.Harbinger.a /dev/sda
11/11/13 2:04 PM Untreated: Rootkit.Boot.Harbinger.a /dev/sda Postponed
11/11/13 2:05 PM Detected: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{1ADD8D79-EF2E-53A2-535B-A414D7B3CB64}-1873.tmp/PE-Crypt.XorPE
11/11/13 2:05 PM Untreated: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{1ADD8D79-EF2E-53A2-535B-A414D7B3CB64}-1873.tmp/PE-Crypt.XorPE Postponed
11/11/13 2:05 PM Detected: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{FD367B3D-E76C-E22A-43D1-8FAC84A49BFD}-1873.tmp/PE-Crypt.XorPE
11/11/13 2:05 PM Untreated: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{FD367B3D-E76C-E22A-43D1-8FAC84A49BFD}-1873.tmp/PE-Crypt.XorPE Postponed
11/11/13 2:25 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Heather/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/46/46feb3ee-6e0dcc87
11/11/13 2:25 PM Untreated: HEUR:Exploit.Script.Generic C:/Users/Heather/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/46/46feb3ee-6e0dcc87 Postponed
11/11/13 2:47 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp
11/11/13 2:47 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp
11/11/13 2:47 PM Untreated: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp Postponed
11/11/13 2:47 PM Untreated: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp Postponed
11/11/13 2:47 PM Detected: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class
11/11/13 2:47 PM Untreated: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class Postponed
11/11/13 2:51 PM Detected: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1872.tmp
11/11/13 2:51 PM Untreated: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1872.tmp Postponed
11/11/13 2:51 PM Detected: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1873.tmp
11/11/13 2:51 PM Untreated: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1873.tmp Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/29/595acb1d-41c0ad50
11/11/13 2:51 PM Untreated: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/29/595acb1d-41c0ad50 Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 2:51 PM Untreated: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02 Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/0/539c0e00-5441c465
11/11/13 2:51 PM Untreated: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/0/539c0e00-5441c465 Postponed
11/11/13 2:51 PM Detected: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/NKonko20.class
11/11/13 2:51 PM Untreated: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/NKonko20.class Postponed
11/11/13 2:51 PM Detected: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/Temp2.class
11/11/13 2:51 PM Untreated: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/Temp2.class Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.CVE-2012-1723.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 2:51 PM Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505 Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 2:51 PM Untreated: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 2:51 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/24/5ae556d8-15bdd6ed
11/11/13 2:51 PM Untreated: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/24/5ae556d8-15bdd6ed Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/3bae27e0-2949528f
11/11/13 2:51 PM Untreated: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/3bae27e0-2949528f Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/34/6159eda2-5d644e70
11/11/13 2:51 PM Untreated: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/34/6159eda2-5d644e70 Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 2:51 PM Untreated: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613 Postponed
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 2:51 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/37be2d6d-7d01dc1a
11/11/13 2:51 PM Untreated: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/37be2d6d-7d01dc1a Postponed
11/11/13 3:07 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp
11/11/13 3:07 PM Untreated: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp Postponed
11/11/13 3:07 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp
11/11/13 3:07 PM Untreated: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp Postponed
11/11/13 3:07 PM Detected: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class
11/11/13 3:07 PM Untreated: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class Postponed
11/11/13 3:33 PM Detected: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{1ADD8D79-EF2E-53A2-535B-A414D7B3CB64}-1873.tmp/PE-Crypt.XorPE
11/11/13 3:33 PM Untreated: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{1ADD8D79-EF2E-53A2-535B-A414D7B3CB64}-1873.tmp/PE-Crypt.XorPE Postponed
11/11/13 3:33 PM Detected: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{FD367B3D-E76C-E22A-43D1-8FAC84A49BFD}-1873.tmp/PE-Crypt.XorPE
11/11/13 3:33 PM Untreated: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{FD367B3D-E76C-E22A-43D1-8FAC84A49BFD}-1873.tmp/PE-Crypt.XorPE Postponed
11/11/13 3:37 PM Detected: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{1ADD8D79-EF2E-53A2-535B-A414D7B3CB64}-1873.tmp/PE-Crypt.XorPE
11/11/13 3:37 PM Untreated: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{1ADD8D79-EF2E-53A2-535B-A414D7B3CB64}-1873.tmp/PE-Crypt.XorPE Postponed
11/11/13 3:37 PM Detected: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{FD367B3D-E76C-E22A-43D1-8FAC84A49BFD}-1873.tmp/PE-Crypt.XorPE
11/11/13 3:37 PM Untreated: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{FD367B3D-E76C-E22A-43D1-8FAC84A49BFD}-1873.tmp/PE-Crypt.XorPE Postponed
11/11/13 3:52 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Heather/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/46/46feb3ee-6e0dcc87
11/11/13 3:52 PM Untreated: HEUR:Exploit.Script.Generic C:/Users/Heather/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/46/46feb3ee-6e0dcc87 Postponed
11/11/13 4:13 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp
11/11/13 4:13 PM Untreated: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp Postponed
11/11/13 4:13 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp
11/11/13 4:13 PM Untreated: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp Postponed
11/11/13 4:13 PM Detected: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class
11/11/13 4:13 PM Untreated: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class Postponed
11/11/13 4:16 PM Detected: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1872.tmp
11/11/13 4:16 PM Untreated: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1872.tmp Postponed
11/11/13 4:16 PM Detected: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1873.tmp
11/11/13 4:16 PM Untreated: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1873.tmp Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/29/595acb1d-41c0ad50
11/11/13 4:16 PM Untreated: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/29/595acb1d-41c0ad50 Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 4:16 PM Untreated: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02 Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/0/539c0e00-5441c465
11/11/13 4:16 PM Untreated: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/0/539c0e00-5441c465 Postponed
11/11/13 4:16 PM Detected: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/NKonko20.class
11/11/13 4:16 PM Untreated: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/NKonko20.class Postponed
11/11/13 4:16 PM Detected: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/Temp2.class
11/11/13 4:16 PM Untreated: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/Temp2.class Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.CVE-2012-1723.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 4:16 PM Untreated: HEUR:Exploit.Java.CVE-2012-1723.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505 Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 4:16 PM Untreated: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 4:16 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/24/5ae556d8-15bdd6ed
11/11/13 4:16 PM Untreated: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/24/5ae556d8-15bdd6ed Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/3bae27e0-2949528f
11/11/13 4:16 PM Untreated: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/3bae27e0-2949528f Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/34/6159eda2-5d644e70
11/11/13 4:16 PM Untreated: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/34/6159eda2-5d644e70 Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 4:16 PM Untreated: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613 Postponed
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 4:16 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/37be2d6d-7d01dc1a
11/11/13 4:16 PM Untreated: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/37be2d6d-7d01dc1a Postponed
11/11/13 4:31 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp
11/11/13 4:31 PM Untreated: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp Postponed
11/11/13 4:31 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp
11/11/13 4:31 PM Untreated: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp Postponed
11/11/13 4:31 PM Detected: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class
11/11/13 4:31 PM Untreated: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class Postponed
11/11/13 5:38 PM Detected: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{1ADD8D79-EF2E-53A2-535B-A414D7B3CB64}-1873.tmp/PE-Crypt.XorPE
11/11/13 7:23 PM Deleted: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{1ADD8D79-EF2E-53A2-535B-A414D7B3CB64}-1873.tmp
11/11/13 7:23 PM Detected: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{FD367B3D-E76C-E22A-43D1-8FAC84A49BFD}-1873.tmp/PE-Crypt.XorPE
11/11/13 7:24 PM Deleted: Trojan.Win64.TDSS.e C:/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{FD367B3D-E76C-E22A-43D1-8FAC84A49BFD}-1873.tmp
11/11/13 7:24 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Heather/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/46/46feb3ee-6e0dcc87
11/11/13 7:24 PM Deleted: HEUR:Exploit.Script.Generic C:/Users/Heather/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/46/46feb3ee-6e0dcc87
11/11/13 7:24 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp
11/11/13 7:24 PM Deleted: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/18C2.tmp
11/11/13 7:24 PM Detected: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp
11/11/13 7:25 PM Deleted: Backdoor.Win32.ZAccess.eowc C:/Users/Josh/AppData/Local/Temp/2000.tmp
11/11/13 7:25 PM Detected: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class
11/11/13 7:25 PM Deleted: Trojan.Java.Agent.cr C:/Users/Josh/AppData/Local/Temp/V.class
11/11/13 7:25 PM Detected: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1872.tmp
11/11/13 7:25 PM Deleted: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1872.tmp
11/11/13 7:25 PM Detected: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1873.tmp
11/11/13 7:25 PM Deleted: Trojan.Win64.TDSS.e C:/Users/Josh/AppData/LocalLow/1873.tmp
11/11/13 7:25 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/0/539c0e00-5441c465
11/11/13 7:25 PM Deleted: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/0/539c0e00-5441c465
11/11/13 7:25 PM Detected: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/NKonko20.class
11/11/13 7:26 PM Detected: Exploit.Java.CVE-2013-0422.al C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505/Popa/Temp2.class
11/11/13 7:26 PM Detected: HEUR:Exploit.Java.CVE-2012-1723.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 7:26 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 7:26 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 7:26 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 7:26 PM Deleted: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/17/7546dad1-3ecc5505
11/11/13 7:26 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 7:26 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 7:26 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 7:26 PM Deleted: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/21/489e6b95-6155bd7e
11/11/13 7:26 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/24/5ae556d8-15bdd6ed
11/11/13 7:26 PM Deleted: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/24/5ae556d8-15bdd6ed
11/11/13 7:26 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/29/595acb1d-41c0ad50
11/11/13 7:26 PM Deleted: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/29/595acb1d-41c0ad50
11/11/13 7:26 PM Detected: HEUR:Exploit.Script.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/3bae27e0-2949528f
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/34/6159eda2-5d644e70
11/11/13 7:27 PM Deleted: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/34/6159eda2-5d644e70
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 7:27 PM Deleted: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/44/a6ebd6c-3c9a8613
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/37be2d6d-7d01dc1a
11/11/13 7:27 PM Deleted: HEUR:Exploit.Java.CVE-2013-0431.gen C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/45/37be2d6d-7d01dc1a
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 7:27 PM Detected: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 7:27 PM Deleted: HEUR:Exploit.Java.Generic C:/Users/Josh/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/5/430670c5-4a649f02
11/11/13 7:27 PM Detected: Rootkit.Boot.Harbinger.a /dev/sda
11/11/13 7:28 PM Disinfected: Rootkit.Boot.Harbinger.a /dev/sda
11/11/13 7:28 PM Disinfected: Rootkit.Boot.Harbinger.a /dev/sda
11/11/13 7:28 PM Task completed
 


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 12 November 2013 - 08:23 AM

Create/Use Boot-Repair-Disc
 

  • DOWNLOAD BOOT-REPAIR-DISK
    Note: Select the right version depending on which windows is installed on your system.
  • Then burn it on CD or put it on USB key via Unetbootin
  • Insert the Boot-Repair-Disk and reboot the PC,
  • Choose your language,
  • Connect internet if possible
  • Click "Recommended repair"
  • When finished, you are provided a link to paste.ubuntu.com - write it down somewhere
  • Reboot the pc --> solves the majority of bootsector/GRUB/MBR problems
  • Post up the link you wrote down at step 7.

Edited by TB-Psychotic, 12 November 2013 - 08:24 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 jmiller07

jmiller07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 12 November 2013 - 12:54 PM

Attached File  attach.txt   7.94KB   1 downloads

Success!  Boot Repair Disk ran successfully and I am now able to boot into Windows.  Paste.ubuntu URL is below:

http://paste.ubuntu.com/6406415/

 

Windows Memory Diagnostic tool started on boot.  I think that was because I had tried to run this from the Windows Repair disk when this whole adventure started.  Anyway, no memory problems and now I'm on my desktop.

 

I plan to do nothing yet until I hear from you on determining what infections may still be on the computer.  The only thing I did (anticipating you might request it) is download and run DDS.  The results are pasted below and attached.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.9.2
Run by Josh at 12:41:41 on 2013-11-12
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8174.6161 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\RunDll32.exe
C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\HP\HP Officejet Pro 8600\bin\HPNetworkCommunicator.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\SearchFilterHost.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uDefault_Page_URL = hxxp://www.bing.com/?pc=MAGW
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [HP Officejet Pro 8600 (NET)] "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN29EBWJD905KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Hotkey Utility] C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
StartupFolder: C:\Users\Josh\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\Windows\System32\RunDll32.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{1AB2C676-39FE-476B-83BE-E04A94B97768} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-6-18 247216]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 GREGService;GREGService;C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe [2010-1-8 23584]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-1 13336]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-11-28 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-11-28 701512]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-11-1 2655768]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2010-11-1 243232]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-11-28 25928]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2010-11-1 1014624]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]
S3 LVUVC64;QuickCam Orbit/Sphere AF(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-12-13 36720]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2010-10-24 139616]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-8-12 366600]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-5-30 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-5-10 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-4-22 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-11-12 17:38:35 965000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E2A6B351-4C7A-4D56-B5BF-0C1C429FFB4D}\gapaengine.dll
2013-11-12 17:37:55 10280728 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3401AD55-61B7-4E6B-8D6A-7BFED3850D49}\mpengine.dll
2013-11-12 17:34:03 10280728 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-07 17:44:55 -------- d-----w- C:\FRST
2013-10-23 15:59:08 -------- d-----w- C:\Program Files (x86)\directx
2013-10-23 15:59:00 745984 ----a-w- C:\Windows\SysWow64\ir507953.rra
2013-10-23 15:59:00 40448 ----a-w- C:\Windows\SysWow64\regobj.dll
2013-10-23 15:59:00 198640 ----a-w- C:\Windows\SysWow64\Mci32.ocx
2013-10-23 15:59:00 192000 ----a-w- C:\Windows\SysWow64\iac278c7.rra
2013-10-23 15:59:00 1062704 ----a-w- C:\Windows\SysWow64\Mscomctl.ocx
2013-10-23 15:58:56 -------- d-----w- C:\Program Files (x86)\THQ
2013-10-23 15:58:24 225280 ------w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2013-10-23 15:58:23 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2013-10-23 15:58:23 32768 ------w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2013-10-23 15:58:23 176128 ------w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2013-10-18 07:11:53 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{ED11E594-EE0D-4E02-B34E-391F7BD854BB}\gapaengine.dll
2013-10-16 14:43:11 69632 ----a-w- C:\Windows\SysWow64\Clifford Uninstall.exe
2013-10-16 14:42:50 -------- d-----w- C:\Program Files\Scholastic's Clifford
2013-10-14 02:43:51 -------- d-----w- C:\Users\Josh\AppData\Local\{1AF3432E-6724-4DA8-824F-57DE10236D3A}
.
==================== Find3M  ====================
.
2013-09-22 23:28:06 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-09-22 23:27:48 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-09-22 23:27:48 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-09-22 22:55:10 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-09-22 22:54:51 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-09-22 22:54:50 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-09-22 22:54:50 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-09-21 03:38:39 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-09-21 03:30:24 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-09-21 02:48:36 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-21 02:39:47 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-09-14 01:10:19 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-09-08 02:30:37 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-09-08 02:27:14 327168 ----a-w- C:\Windows\System32\mswsock.dll
2013-09-08 02:03:58 231424 ----a-w- C:\Windows\SysWow64\mswsock.dll
2013-08-29 02:17:48 5549504 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-29 02:16:35 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-29 02:16:28 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-29 02:16:14 859648 ----a-w- C:\Windows\System32\tdh.dll
2013-08-29 02:13:28 878080 ----a-w- C:\Windows\System32\advapi32.dll
2013-08-29 01:51:45 3969472 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51:45 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50:31 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-29 01:50:30 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-29 01:50:16 619520 ----a-w- C:\Windows\SysWow64\tdh.dll
2013-08-29 01:48:17 640512 ----a-w- C:\Windows\SysWow64\advapi32.dll
2013-08-29 01:48:15 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-08-29 00:49:53 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-29 00:49:52 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-29 00:49:52 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-29 00:49:49 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-28 01:21:06 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-08-28 01:12:33 461312 ----a-w- C:\Windows\System32\scavengeui.dll
.
============= FINISH: 12:42:29.45 ===============
 


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 13 November 2013 - 03:44 AM

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

 

 

 

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 jmiller07

jmiller07
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 13 November 2013 - 08:34 AM

When I execute TDSSKiller.exe it says there's an update and asks if I want to load it.  When I say yes, instead of a virus database type of update, it downloads a zip file with another version of TDSSKiller.exe.  Should I run this other version of the executable instead of the one you linked to?

 

Edited to add:

New version of TDSSKiller.exe is 3.0.0.17

Old version of TDSSKiller.exe is 2.8.16.0 (this is the version in your link).

 

While I wait for a confirmation on which one to run, here are the results from aswMBR:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-11-13 08:13:40
-----------------------------
08:13:40.971    OS Version: Windows x64 6.1.7601 Service Pack 1
08:13:40.971    Number of processors: 8 586 0x2A07
08:13:40.972    ComputerName: MILLER_I7  UserName: Josh
08:13:43.858    Initialize success
08:15:38.646    AVAST engine defs: 13111200
08:15:58.160    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:15:58.163    Disk 0 Vendor: WDC_WD15 51.0 Size: 1430799MB BusType: 3
08:15:58.310    Disk 0 MBR read successfully
08:15:58.313    Disk 0 MBR scan
08:15:58.317    Disk 0 unknown MBR code
08:15:58.320    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        17408 MB offset 2048
08:15:58.334    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 35653632
08:15:58.340    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS      1413289 MB offset 35858432
08:15:58.365    Disk 0 scanning C:\Windows\system32\drivers
08:16:06.325    Service scanning
08:16:22.079    Modules scanning
08:16:22.087    Disk 0 trace - called modules:
08:16:22.106    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
08:16:22.438    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800960f790]
08:16:22.444    3 CLASSPNP.SYS[fffff88001afd43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007798050]
08:16:24.630    AVAST engine scan C:\Windows
08:16:27.701    AVAST engine scan C:\Windows\system32
08:18:23.355    AVAST engine scan C:\Windows\system32\drivers
08:18:33.507    AVAST engine scan C:\Users\Josh
08:22:14.360    File: C:\Users\Josh\AppData\Local\Temp\autnfjds.dll  **INFECTED** Win32:Dropper-MNB [Drp]
08:22:18.424    File: C:\Users\Josh\AppData\Local\Temp\jar_cache6106768478864658548.tmp  **INFECTED** Win32:Malware-gen
08:22:23.623    File: C:\Users\Josh\AppData\Local\Temp\ppc9hnnt.dll  **INFECTED** Win32:Dropper-MNB [Drp]
08:27:01.053    AVAST engine scan C:\ProgramData
08:28:12.985    Scan finished successfully
08:28:35.064    Disk 0 MBR has been saved successfully to "C:\Users\Josh\Desktop\MBR.dat"
08:28:35.067    The log file has been saved successfully to "C:\Users\Josh\Desktop\aswMBR.txt"

Edited by jmiller07, 13 November 2013 - 08:41 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users