Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUP not really removed by MBAM, now Windows Security disabled


  • Please log in to reply
3 replies to this topic

#1 dnereid

dnereid

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 07 December 2013 - 01:24 AM

Please help.
 
I stupidly downloaded something that installed PUPs using Chrome last week. I realized browser hijack, ran MBAM pro, got 80+ infections and quarantined them. Some of them pasted below. I deleted them afterwards and then I ran the gamut of antimalware, from Adwcleaner, Hitman Pro, MBAM, Windows security essentials, Roguekiller, chameleon etc etc to be sure, and deleted some more things here and there. Although nothing is being detected anymore I am convinced I am still badly infected. For instance, I had uninstalled Chrome, but reinstalling is immediately launching the mysearchdial toolbar and taking me to a French page. Also, many fake download buttons are popping up. I had rebooted the PC after running these antimalware programs.
 
And I just noticed I have Antivirus Security Pro as well.
 
For a while MS Security essentials wouldnt update or run, same with defender. I was able to uninstall and reinstall and then definitions updated. But still MSE and MBAM are not detecting issues. Internet explorer is not working at all in Admin user. This is all on the back of a trojan attack two weeks ago. Not sure if related. Please help!! Thank you
 
MBAM logs Episode 1: 11/14/13
C:\ProgramData\sa3pa333\sa3pa333.exe (Trojan.Ransom.ED) -> No action taken.
C:\Users\dalia\AppData\Local\fhodvlwf.exe (Trojan.Ransom.ED) -> No action taken.
C:\Users\dalia\AppData\Local\Temp\msimg32.dll (Trojan.Agent.UKN) -> No action taken.
 
 
MBAM logs Episode 2: Dec 1
 
Files Detected: 25
C:\Program Files (x86)\Mysearchdial\1.8.21.0\mysearchdialTlbr.dll (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\mysearchdialsrv.exe (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Users\dalia\AppData\Local\Temp\is1590112554\367598287_stp\BuzzSearchSetup.exe (PUP.Optional.BuzzSearch.A) -> No action taken.
C:\Users\dalia\Downloads\ZipExtractorSetup (1).exe (PUP.Optional.JumpyApps.A) -> No action taken.
C:\Users\dalia\Downloads\ZipExtractorSetup.exe (PUP.Optional.JumpyApps.A) -> No action taken.
C:\Users\dalia\Local Settings\Temporary Internet Files\Content.IE5\I5A8FA0S\Setup[1].exe (PUP.Optional.BuzzSearch.A) -> No action taken.
C:\Users\dalia\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pflphaooapbgpeakohlggbpidpppgdff_0.localstorage (PUP.Optional.FunMoods.A) -> No action taken.
C:\Program Files (x86)\BuzzSearch\BuzzSearch.ico (PUP.Optional.BuzzSearch.A) -> No action taken.
C:\Program Files (x86)\BuzzSearch\BuzzSearchUninstall.exe (PUP.Optional.BuzzSearch.A) -> No action taken.
C:\Program Files (x86)\BuzzSearch\jhjjdgbhohaallcimgcmakfiobacimkm.crx (PUP.Optional.BuzzSearch.A) -> No action taken.
C:\Program Files (x86)\BuzzSearch\sqlite3.exe (PUP.Optional.BuzzSearch.A) -> No action taken.
C:\Program Files (x86)\BuzzSearch\updateBuzzSearch.exe (PUP.Optional.BuzzSearch.A) -> No action taken.
C:\Program Files (x86)\BuzzSearch\updateBuzzSearch.InstallState (PUP.Optional.BuzzSearch.A) -> No action taken.
C:\Users\dalia\AppData\Roaming\mysearchdial\icons_2.2.14.1379\62.ico (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Users\dalia\AppData\Roaming\mysearchdial\icons_2.2.14.1379\80.ico (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Users\dalia\AppData\Roaming\mysearchdial\UpdateProc\config.dat (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Users\dalia\AppData\Roaming\mysearchdial\UpdateProc\UpdateTask.exe (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\FavIcon.ico (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\mysearchdialApp.dll (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\mysearchdialEng.dll (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\Sqlite3.dll (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\uninst.dat (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Program Files (x86)\Mysearchdial\1.8.21.0\uninstall.exe (PUP.Optional.MySearchDial.A) -> No action taken.
C:\Program Files (x86)\TipRanks\TipRanks-bho.dll (PUP.Optional.CrossRider.M) -> No action taken.
C:\Program Files (x86)\TipRanks\TipRanks-bho64.dll (PUP.Optional.CrossRider.M) -> No action taken.
 
 
DDS log
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16520 BrowserJavaVersion: 10.45.2
Run by dalia at 23:54:48 on 2013-12-07
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.6108.3563 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\7.3.107.0\BBSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\rstrui.exe
C:\Windows\RAVCpl64.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\AllerCalc\AllerCalc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\Citrix\Secure Access Client\nsload.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Belkin Storage Manager\StorageManager.exe
C:\Windows\OEM05Mon.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Media Player\wmpshare.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\System32\wsqmcons.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Program Files (x86)\Microsoft\BingBar\7.3.107.0\SeaPort.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = Preserve
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mWinlogon: Userinit = userinit.exe,
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.3.107.0\BingExt.dll
BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.107.0\BingExt.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [AllerCalc] "C:\Program Files (x86)\AllerCalc\AllerCalc.exe" /i
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [Belkin Storage Manager] "C:\Program Files (x86)\Belkin Storage Manager\StorageManager.exe"
mRun: [OEM05Mon.exe] C:\Windows\OEM05Mon.exe
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [SwitchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe"
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CITRIX~1.LNK - C:\Program Files\Citrix\Secure Access Client\nsload.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.anandabazar.com/wfplayer/tdserver.cab
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://www.linkworkspace.com/CitrixSessionInit/ICAWEB/icaweb.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B641F22C-C1B1-445F-B2F5-AA71A3E4A0E4} : DHCPNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.3.107.0\amd64\BingExt.dll
x64-BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} -
x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
x64-Run: [RtHDVCpl] RAVCpl64.exe
x64-Run: [Broadcom Wireless Manager UI] C:\Windows\System32\WLTRAY.exe
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\dalia\AppData\Roaming\Mozilla\Firefox\Profiles\74hed760.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=UP97&ocid=UP97DHP&dt=072013
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&dt=072013&q=
.
============= SERVICES / DRIVERS ===============
.
R2 cag;Citrix cag plugin for Access Gateway;C:\Program Files\Common Files\Deterministic Networks\Common Files\cag.sys [2011-10-18 100952]
S3 ctxva51;Citrix Virtual Adapter;C:\Windows\System32\drivers\ctxva51.sys [2012-10-26 46192]
.
=============== File Associations ===============
.
FileExt: .reg: Applications\notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .txt: Applications\WordPad.exe="C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE" "%1" [UserChoice]
FileExt: .js: Applications\notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-14 00:31:51 82896128 ----a-w- C:\Windows\System32\mrt.exe
2013-11-13 19:12:28 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2013-11-12 19:34:34 111408 ----a-w- C:\Windows\System32\drivers\93628916.sys
2013-10-13 15:58:41 17847296 ----a-w- C:\Windows\System32\mshtml.dll
2013-10-13 15:09:57 10926080 ----a-w- C:\Windows\System32\ieframe.dll
2013-10-13 14:55:42 2334720 ----a-w- C:\Windows\System32\jscript9.dll
2013-10-13 14:48:43 1346560 ----a-w- C:\Windows\System32\urlmon.dll
2013-10-13 14:47:43 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-10-13 14:46:53 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-10-13 14:46:27 237056 ----a-w- C:\Windows\System32\url.dll
2013-10-13 14:44:28 85504 ----a-w- C:\Windows\System32\jsproxy.dll
2013-10-13 14:42:38 816640 ----a-w- C:\Windows\System32\jscript.dll
2013-10-13 14:42:36 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-10-13 14:42:11 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-10-13 14:39:50 2147840 ----a-w- C:\Windows\System32\iertutil.dll
2013-10-13 14:38:57 729088 ----a-w- C:\Windows\System32\msfeeds.dll
2013-10-13 14:36:11 96768 ----a-w- C:\Windows\System32\mshtmled.dll
2013-10-13 14:35:12 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-10-13 14:29:31 248320 ----a-w- C:\Windows\System32\ieui.dll
2013-10-13 10:42:12 12344832 ----a-w- C:\Windows\SysWow64\mshtml.dll
2013-10-13 10:08:04 9739264 ----a-w- C:\Windows\SysWow64\ieframe.dll
2013-10-13 09:48:06 1806848 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-10-13 09:37:03 1104896 ----a-w- C:\Windows\SysWow64\urlmon.dll
2013-10-13 09:35:52 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-10-13 09:35:38 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-10-13 09:33:57 231936 ----a-w- C:\Windows\SysWow64\url.dll
2013-10-13 09:32:00 65024 ----a-w- C:\Windows\SysWow64\jsproxy.dll
2013-10-13 09:30:20 717824 ----a-w- C:\Windows\SysWow64\jscript.dll
2013-10-13 09:30:14 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-10-13 09:29:02 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-10-13 09:27:43 607744 ----a-w- C:\Windows\SysWow64\msfeeds.dll
2013-10-13 09:27:40 1796096 ----a-w- C:\Windows\SysWow64\iertutil.dll
2013-10-13 09:26:08 73216 ----a-w- C:\Windows\SysWow64\mshtmled.dll
2013-10-13 09:25:39 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-10-13 09:20:51 176640 ----a-w- C:\Windows\SysWow64\ieui.dll
2013-10-11 04:23:42 462848 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-11 04:23:21 781824 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2013-10-11 02:07:57 596480 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2013-10-10 21:55:59 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-10-10 21:55:58 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-08 12:50:37 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-08 12:46:52 264616 ----a-w- C:\Windows\SysWow64\javaws.exe
2013-10-08 12:46:47 175016 ----a-w- C:\Windows\SysWow64\javaw.exe
2013-10-08 12:46:23 174504 ----a-w- C:\Windows\SysWow64\java.exe
2013-10-03 15:03:41 389632 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-03 15:02:58 1278976 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-03 12:46:36 304128 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-10-03 12:45:45 993792 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-09-27 14:53:06 248240 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2013-09-27 14:53:06 134944 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
.
============= FINISH: 0:02:12.21 ===============

Attached Files


Edited by dnereid, 08 December 2013 - 12:07 AM.


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:13 AM

Posted 10 December 2013 - 05:04 PM

Hi dnereid and welcome to BC.

Please take note of the following:

1. Please do not run any other tools unless instructed.
2. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
3. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
4. Please reply to this thread. Do not start a new topic.


Step 1
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop.
  • Double-click the downloaded icon to run the tool.

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Press Scan button.

    frst_zps6548371f.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.
In your next reply, please submit:
Both reports from FRST


Thanks.

BBPP6nz.png


#3 dnereid

dnereid
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 10 December 2013 - 05:46 PM

Hi this very helpful exe seems to be generating a report with a lot of personal data I am not comfortable putting up on a forum. Can I post the data without personal files names/docs? Thank you.


Edited by dnereid, 10 December 2013 - 06:15 PM.


#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:05:13 AM

Posted 10 December 2013 - 07:21 PM

Hi dnereid
 

Can I post the data without personal files names/docs? Thank you.

The reports are designed to show us information relevant to what we need to know.
No actual personal information is shown.
File names/docs ... are just names.
No information contained in the files/docs are shown.
By removing information from the reports you may hinder the cleaning process.
 

HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)

I see that both Windows Defender and MSSE are running at startup.
MSSE should have disabled Windows Defender when it was installed as the two can conflict.
  • Click Start >> Programs >> Windows Defender or launch from the system tray icon.
  • Click on Tools & Settings >> Options.
  • Under Real-time protection options, uncheck the "Real-time protection" check box.
  • Click Save.
  • Go to Start >> Control Panel >> Security >> Windows Defender, at the bottom of the Window Defenders page uncheck under Administrator Options "use Windows Defender" and then Save.
Step 1
Please remove the following Java versions.
These should have been removed when Java was updated:
Java 7 Update 25 (64-bit) (Version: 7.0.250)
Java 6 Update 38 (x32 Version: 6.0.380)
Java 6 Update 7 (x32 Version: 1.6.0.70)


Do not remove:
Java 7 Update 45

Reboot the system when completed.



Step 2
Please download the attached fixlist.txt file and save it to the Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Re-run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.


Step 3
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista/Win7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
In your next reply, please submit:
Fixlog.txt
and please give me an update on how the system is running before we continue.


Thanks.

Attached Files


BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users