Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Special Request for mOLe....


  • This topic is locked This topic is locked
35 replies to this topic

#1 Bobbinet

Bobbinet

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 30 November 2013 - 05:35 PM

This laptop is a Dell Mini 1012, with Windows 7 starter. It has 3 usb ports, a 15 prong printer? port and a Ethernet port. It has no CD/DVD drive but she has one if needed that can be plugged in by usb. 

 

Not sure where to begin. I have run several test on my laptop. I know for starters we need to remove all traces of Java, there are hundreds of entries in the Registry, but it is not showing up to uninstall. Adobe also needs removed. I removed Malwarebytes as it was broke. Only took about 3 minutes to run full scan. I want to re-download when safe. This computer (and the others) are not really shutting down, not till you pull the battery. I know this because when I turn the laptop on in the morning after removing the battery, it come up with the screen "Windows did not shut down correctly". When you look at this computer there are 3 big dates, 3/23/13, 9/22/13 (AT&T), and 11/7&8/13, The later one was a 4 hour Microsoft essentials that when finished showed OS:X in the lower left corner in black. It replaced the Recovery option in Restore with a Q drive. I have tried to Restore to a early date but the recovery box is grayed out and only available is the C drive.All three of these dates made huge changes to the registry. It has completely changed this computer. 

I think Microsoft Security Essentials needs removed so Windows Defender can function again. I have disabled some network drivers. One other thing is Itunes got partially uninstalled because I hit the wrong area on this mouse pad and I quickly cancelled it but she is missing many of them. Thats why I wanted to try to restore to a earlier date, but it wont let me check the recovery drive.

6/2011 Malwarebytes found these things...

Files Infected:
c:\Users\Guest\AppData\Local\Temp\adobe_flash_player.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\Guest\AppData\Local\Temp\install_flash_player.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\Guest\AppData\Local\Temp\tmp97EC.tmp (Trojan.FakeHDD) -> Quarantined and deleted successfully.
c:\Users\Guest\AppData\Local\Temp\tmp9ABA.tmp (Trojan.FakeHDD) -> Quarantined and deleted successfully.
c:\Users\Guest\AppData\Local\Temp\tmpB896.tmp (Trojan.FakeHDD) -> Quarantined and deleted successfully.
c:\Users\Guest\AppData\Local\Temp\tmpB932.tmp (Trojan.FakeHDD) -> Quarantined and deleted successfully.
c:\programdata\28565240.exe (Trojan.Agent.PF) -> Quarantined and deleted successfully.
c:\programdata\29613816.exe (Trojan.Agent.PF) -> Quarantined and deleted successfully.
c:\programdata\deawlbdhkjxiool.exe (Trojan.FakeHDD) -> Quarantined and deleted successfully.
c:\Users\Guest\AppData\Local\Temp\0.12632213927835223.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Users\Guest\AppData\Local\Temp\0.46081545469668705.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
 
There were several Backdoor infections as well in 2012. Hope this makes a little sense to you. I am not good a writing my ideas out...
 
DDS Log
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16720
Run by Aubrey at 23:42:13 on 2013-11-29
Microsoft Windows 7 Starter   6.1.7601.1.1252.1.1033.18.1013.403 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = 192.168.*.*
BHO: AutorunsDisabled - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-Explorer: NoDrives = dword:65536
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{8C6473A8-DD04-45EC-AEF7-28E812809651} : DHCPNameServer = 192.168.1.254
Handler: AutorunsDisabled - <Clsid value has no data>
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\program files\cozi express\CoziProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-6-26 13680]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R1 MpKsle5282198;MpKsle5282198;c:\programdata\microsoft\microsoft antimalware\definition updates\{9e6efa60-b558-41d4-ab34-9cb6bcf7961f}\MpKsle5282198.sys [2013-11-29 40392]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 107392]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-5-20 143840]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-8-12 295376]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2013-6-26 583848]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2013-6-26 197800]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2013-6-26 20136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2013-4-22 822504]
S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2013-6-26 523944]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-13 39272]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-3-25 174592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-1-21 328808]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2013-6-26 24232]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-3-23 52224]
S4 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2009-6-9 155648]
S4 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S4 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
S4 SftService;SoftThinks Agent Service;c:\program files\dell datasafe local backup\SftService.exe [2010-5-20 660800]
S4 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2013-6-26 207528]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-11-30 05:31:33 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9e6efa60-b558-41d4-ab34-9cb6bcf7961f}\MpKsle5282198.sys
2013-11-29 20:17:56 7772552 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9e6efa60-b558-41d4-ab34-9cb6bcf7961f}\mpengine.dll
2013-11-29 05:03:50 -------- d-----w- C:\FRST
2013-11-28 06:07:24 7772552 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-11-27 19:30:48 -------- d-----w- c:\program files\ESET
2013-11-15 08:18:05 -------- d-----w- c:\windows\ERUNT
2013-11-08 05:25:17 -------- d-----w- c:\windows\system32\MRT
2013-11-08 04:39:38 729024 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-11-08 04:39:37 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-11-08 04:39:30 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-11-08 04:39:30 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-11-08 04:39:29 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-11-08 04:39:29 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-11-08 04:39:02 530432 ----a-w- c:\windows\system32\comctl32.dll
2013-11-08 04:38:59 509440 ----a-w- c:\windows\system32\qedit.dll
2013-11-08 04:38:56 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-11-08 04:38:52 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-11-08 04:38:47 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-08 04:38:44 70656 ----a-w- c:\windows\system32\fontsub.dll
2013-11-08 04:38:44 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-11-08 04:38:44 26112 ----a-w- c:\windows\system32\lpk.dll
2013-11-08 04:38:44 10240 ----a-w- c:\windows\system32\dciman32.dll
2013-11-08 04:38:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-11-08 04:38:40 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-11-08 04:38:33 936448 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2013-11-08 04:38:19 434688 ----a-w- c:\windows\system32\scavengeui.dll
2013-11-08 04:37:56 205824 ----a-w- c:\windows\system32\WebClnt.dll
2013-11-08 04:37:55 81920 ----a-w- c:\windows\system32\davclnt.dll
2013-11-08 04:37:55 115712 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2013-11-08 04:37:48 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-11-08 04:37:47 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-11-08 04:37:46 619520 ----a-w- c:\windows\system32\tdh.dll
2013-11-08 04:37:46 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-11-08 04:37:44 640512 ----a-w- c:\windows\system32\advapi32.dll
2013-11-08 04:36:51 36352 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-11-08 04:36:50 55808 ----a-w- c:\windows\system32\drivers\hidclass.sys
2013-11-08 04:36:50 25728 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-11-08 04:36:47 146816 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2013-11-08 04:36:46 86016 ----a-w- c:\windows\system32\drivers\usbcir.sys
2013-11-08 04:36:40 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-11-08 04:36:39 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-11-08 04:36:39 231424 ----a-w- c:\windows\system32\mswsock.dll
2013-11-08 04:36:35 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-11-08 04:36:27 2048 ----a-w- c:\windows\system32\tzres.dll
2013-11-08 04:34:36 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-11-08 04:34:31 680960 ----a-w- c:\program files\windows defender\MpSvc.dll
2013-11-08 04:34:31 392704 ----a-w- c:\program files\windows defender\MpClient.dll
2013-11-08 04:34:29 224768 ----a-w- c:\program files\windows defender\MpCommu.dll
2013-11-08 04:28:27 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-11-06 17:27:37 719224 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a4271140-7433-4e52-ab34-43549fdc1a56}\gapaengine.dll
2013-11-06 08:38:03 -------- d-----w- C:\AdwCleaner
.
==================== Find3M  ====================
.
2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-03 19:28:36 4188160 ----a-w- c:\program files\GUTE273.tmp
2013-09-22 23:28:06 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-09-22 23:27:49 2876928 ----a-w- c:\windows\system32\jscript9.dll
2013-09-22 23:27:48 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-09-22 23:27:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-09-21 03:30:24 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-09-21 02:39:47 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
.
============= FINISH: 23:42:44.89 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 02 December 2013 - 06:02 PM

When I went to power up the laptop today it was alternating between bluescreen and the windows screen. Had to restore. Every restore I tried failed. Including the one I am on. I will have to run a new DDS but will wait incase next boot changes things. I tried several times and I took a picture of the last one. I said no to the restore option and this is what I am on now. I know this sounds crazy but I looked at the vista laptop today and it has the exact same things running in Services. I know it is not vista services running but I am not familiar with W7 so can't say. The clock is off by 3 hours now.


Edited by Bobbinet, 02 December 2013 - 06:21 PM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 PM

Posted 02 December 2013 - 08:38 PM

Do you have the new DDS log, Doris?
Posted Image
m0le is a proud member of UNITE

#4 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 04 December 2013 - 03:55 AM

I will post it tomorrow. I didn't know you replied, I may go ahead and do it now. Either way by tomorrow at the latest;



#5 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 04 December 2013 - 04:21 AM

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16720
Run by Aubrey at 3:01:13 on 2013-12-04
#Option Extended Search is enabled.
Microsoft Windows 7 Starter   6.1.7601.1.1252.1.1033.18.1013.431 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\wbengine.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = 192.168.*.*
BHO: AutorunsDisabled - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-Explorer: NoDrives = dword:65536
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{8C6473A8-DD04-45EC-AEF7-28E812809651} : DHCPNameServer = 192.168.1.254
Handler: AutorunsDisabled - <Clsid value has no data>
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\program files\cozi express\CoziProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-6-26 13680]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 107392]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-5-20 143840]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-8-12 295376]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2013-6-26 583848]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2013-6-26 197800]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2013-6-26 20136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2013-4-22 822504]
S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2013-6-26 523944]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-13 39272]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-3-25 174592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-1-21 328808]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2013-6-26 24232]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-3-23 52224]
S4 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2009-6-9 155648]
S4 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S4 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
S4 SftService;SoftThinks Agent Service;c:\program files\dell datasafe local backup\SftService.exe [2010-5-20 660800]
S4 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2013-6-26 207528]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 60 ================
.
2013-12-02 19:35:31 7772552 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c662c6bb-0678-45da-a126-9812ad0be8b2}\mpengine.dll
2013-12-02 19:22:40 7772552 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-11-29 05:03:50 -------- d-----w- C:\FRST
2013-11-27 19:30:48 -------- d-----w- c:\program files\ESET
2013-11-15 08:18:05 -------- d-----w- c:\windows\ERUNT
2013-11-08 05:25:17 -------- d-----w- c:\windows\system32\MRT
2013-11-08 04:39:38 729024 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-11-08 04:39:37 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-11-08 04:39:30 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-11-08 04:39:30 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-11-08 04:39:29 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-11-08 04:39:29 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-11-08 04:39:02 530432 ----a-w- c:\windows\system32\comctl32.dll
2013-11-08 04:38:59 509440 ----a-w- c:\windows\system32\qedit.dll
2013-11-08 04:38:56 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-11-08 04:38:52 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-11-08 04:38:47 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-08 04:38:44 70656 ----a-w- c:\windows\system32\fontsub.dll
2013-11-08 04:38:44 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-11-08 04:38:44 26112 ----a-w- c:\windows\system32\lpk.dll
2013-11-08 04:38:44 10240 ----a-w- c:\windows\system32\dciman32.dll
2013-11-08 04:38:43 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-11-08 04:38:40 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-11-08 04:38:33 936448 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2013-11-08 04:38:19 434688 ----a-w- c:\windows\system32\scavengeui.dll
2013-11-08 04:37:56 205824 ----a-w- c:\windows\system32\WebClnt.dll
2013-11-08 04:37:55 81920 ----a-w- c:\windows\system32\davclnt.dll
2013-11-08 04:37:55 115712 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2013-11-08 04:37:48 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-11-08 04:37:47 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-11-08 04:37:46 619520 ----a-w- c:\windows\system32\tdh.dll
2013-11-08 04:37:46 1289096 ------w- c:\windows\system32\ntdll.dll.0
2013-11-08 04:37:46 1289096 ------w- c:\windows\system32\ntdll.dll
2013-11-08 04:37:44 640512 ----a-w- c:\windows\system32\advapi32.dll
2013-11-08 04:36:51 36352 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-11-08 04:36:50 55808 ----a-w- c:\windows\system32\drivers\hidclass.sys
2013-11-08 04:36:50 25728 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-11-08 04:36:47 146816 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2013-11-08 04:36:46 86016 ----a-w- c:\windows\system32\drivers\usbcir.sys
2013-11-08 04:36:40 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-11-08 04:36:39 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-11-08 04:36:39 231424 ----a-w- c:\windows\system32\mswsock.dll
2013-11-08 04:36:35 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-11-08 04:36:27 2048 ----a-w- c:\windows\system32\tzres.dll
2013-11-08 04:34:36 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-11-08 04:34:31 680960 ----a-w- c:\program files\windows defender\MpSvc.dll
2013-11-08 04:34:31 392704 ----a-w- c:\program files\windows defender\MpClient.dll
2013-11-08 04:34:29 224768 ----a-w- c:\program files\windows defender\MpCommu.dll
2013-11-08 04:28:27 31232 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-11-06 17:27:37 719224 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a4271140-7433-4e52-ab34-43549fdc1a56}\gapaengine.dll
.
==================== Find6M  ====================
.
2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-03 19:28:36 4188160 ----a-w- c:\program files\GUTE273.tmp
2013-09-22 23:28:06 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-09-22 23:27:49 2876928 ----a-w- c:\windows\system32\jscript9.dll
2013-09-22 23:27:48 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-09-22 23:27:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-09-21 03:30:24 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-09-21 02:39:47 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-08-02 01:50:36 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-08-02 01:49:19 293376 ----a-w- c:\windows\system32\KernelBase.dll
2013-08-02 00:52:57 271360 ----a-w- c:\windows\system32\conhost.exe
2013-08-02 00:43:05 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-06-27 01:23:04 20136 ----a-w- c:\windows\system32\drivers\Sftvollh.sys
2013-06-27 01:23:00 24232 ----a-w- c:\windows\system32\drivers\Sftredirlh.sys
2013-06-27 01:23:00 197800 ----a-w- c:\windows\system32\drivers\Sftplaylh.sys
2013-06-27 01:23:00 1084072 ----a-w- c:\windows\system32\sftldr.dll
2013-06-27 01:22:58 583848 ----a-w- c:\windows\system32\drivers\Sftfslh.sys
2013-06-20 23:03:57 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-20 23:03:56 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-19 03:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-19 03:50:08 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-06-09 23:58:29 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-09 23:58:28 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-09 23:57:15 0 ----a-w- c:\windows\system32\REND937.tmp
2013-06-09 23:57:15 0 ----a-w- c:\windows\system32\REND926.tmp
.
============= FINISH:  3:04:03.08 ===============
 

Thank you!

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 PM

Posted 05 December 2013 - 08:44 PM

There's nothing nasty showing up there. Please run Gmer for me


Please download GMER from one of the following locations and save it to your desktop:


Main Mirror which will download a randomly named file
Zipped Mirror - Unzip the file to its own folder such as C:\gmer
Disconnect from the Internet and close all running programs
Temporarily disable any real-time active protection
It is very important you do not use your computer while GMER is running
Double-click on the randomly named GMER gmericon_zps951fd5aa.jpg icon
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
If you receive a warning about rootkit activity and are asked to fully scan your system click NO
Please check in the Quick scan box
Please uncheck the following:

IAT/EAT
Show All <<< Important

GMER2new_zpsdd936679.jpg
Click Scan
If you see a rootkit warning window click OK
When the scan is finished, Save the results to your desktop as gmer.log
Click Copy then paste the results in your reply
Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled

Note:


If you encounter any problems, try running GMER in Safe Mode
If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning
Posted Image
m0le is a proud member of UNITE

#7 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 07 December 2013 - 12:05 AM

I just tried to run gmer. Stopped working. I am going to restart pc and try again.

No luck. Took picture of screen if that helps.


Edited by Bobbinet, 07 December 2013 - 12:14 AM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 PM

Posted 09 December 2013 - 08:10 PM

Doris, Please run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt
  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#9 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 09 December 2013 - 10:43 PM

I am not use to W7 so I am not sure if this is the norm but nothing is on the desktop ever. I have to go to users then Aubrey then folder desktop. I ran it this way and posting the results as zip.

Attached Files



#10 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 10 December 2013 - 11:51 PM

I was looking at the volume controls today because something is up with the sound. Can barely hear anything. When I had finished I had a vintage looking brown volume horn on the taskbar. I could not delete it and under properties for the taskbar it did not show but even if it did, everything is grayed out and unable to change settings. Later I opened systemlook and it then vanished,,? 

I went to computer and the OS says C:, but hovering over it said empty, when I expand it showed several folders. Under computer management (I R clicked & hit manage) then storage, then disk management, it said virtual disk... and is online. There are 3 partitions on the top one first is simple, basic, ??, Healthy (Oem Partition), Capacity 39MB, Free 39MB. The second is OS (C:), Simple, Basic, NTFS, Healthy (Boot, Page File, Crash Dump, Primary Partition) Capacity 218.20, Free Space 143.70. The third is Recovery, Simple, Basic, NTFS, Healthy (System, Active, Primary Partition) Capacity 14.65, Free Space 8.03. On the bottom it shows Disk 0, Basic 232.80GB, Online. Then the other 3 as above.

When I hit properties for computer, the title shows a highlighted OS, local disk, ntfs. The hardware shows Hitachi, Location 0 (Channel 0, Target 0, Lun 0. Is all this normal? On the 7th of Nov. when I ran MSE it ran for over 4 hours and changed so many things. I did a restore to try to undo it but it would stall, and then restore to what it wanted to. When I chose to restore it had a D: drive for Recovery with 10+ MB/GB?, it was gone and a Q drive in its place. 

Is it normal for hundreds of google entries in the Registry? Java is even more. Everything is Virtual, sharing, etc...  I paused the MSE and was able to get the Windows Defender to run but it must be a mini version as there is no software explorer and again any settings are grayed out. So much more but will wait for you.

Also I had ran a GMER for rootkits a while back but I did get a report of it. It is enclosed. Nevermind, too big. It is 2.06 MB.


Edited by Bobbinet, 11 December 2013 - 12:05 AM.


#11 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 14 December 2013 - 06:54 PM

When I shutdown the computer it shows a warning screen but it only shows for a split second. I noticed the word "Desktop" in it. Last night it did not want to shut down so I held the power button down to force it closed and I saw a "OTHER USER" Logon screen for just a second, it was right in the middle of the screen. 



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 PM

Posted 15 December 2013 - 11:25 AM

Sorry Doris, I'm not able to unzip a file as I'm currently using a tablet. I will be back with you later today :)
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:38 PM

Posted 15 December 2013 - 08:50 PM

The TDSSKiller log is clean.

Nothing in your two posts say anything untoward. Just normal stuff and maybe signs of a hard drive starting to fail but it could just be nothing.

We're going to test the system next

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:
  • Click the "Windows Orb" Start button, then click Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.
A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:
  • Click the "Windows Orb" Start button -> type "eventvwr" without the quotes -> press the <ENTER> key.
  • The Event Viewer window will open.
  • In the left pane, expand "Windows Logs" and then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Wininit", with an entry corresponding to the date and time of the disk check.
  • Click on that Wininit entry to select it.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.

Posted Image
m0le is a proud member of UNITE

#14 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 17 December 2013 - 04:05 PM

will post this in a bit, thanks



#15 Bobbinet

Bobbinet
  • Topic Starter

  • Members
  • 164 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:07:38 AM

Posted 17 December 2013 - 08:38 PM

I have not run the above yet. I want to know if we can remove the Java on this machine. I feel that it is infected, there is no uninstall as it is not present anywhere but registry. I Found a way to show the desktop on the desktop. I ran a gmer and it completed. The next time I booted the pc it would not boot and again had to restore to what ever it choose. I can still click show desktop but it does nothing. Here is the gmer...

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-12-14 21:27:15
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545025B9A300 rev.PB2OC60S 232.89GB
Running: qf5l6st5.exe; Driver: C:\Users\Aubrey\AppData\Local\Temp\uwldqpob.sys
 
 
---- Kernel code sections - GMER 2.1 ----
 
.text  ntkrnlpa.exe!ZwRollbackEnlistment + 142D                                            81C54A15 1 Byte  [06]
.text  ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                              81C8E212 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
 
---- Registry - GMER 2.1 ----
 
Reg    HKLM\SYSTEM\CurrentControlSet\services\Dnscache\Parameters\DnsCache@ShutdownOnIdle  0
 
I can't open most sites, I get ""HTTP Error 503. The service is unavailable.""





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users