Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Java Update Redirect


  • Please log in to reply
11 replies to this topic

#1 Sunsilver

Sunsilver

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 December 2013 - 02:41 PM

Hi, I registered here on the advice of a tech-savy administrator on the site where I am having this problem.

 

Recently, I began to get a fake Java update hijacking the webpage on a site where I frequently post. I found info on mitechmate.com that identifies it as a rootkit that can avoid detection:

 

get-new-java.com/index.php?dv1=Ybrant was created with advanced rootkit technology which helps its codes bypass firewall and antispyware, and it is able to change its codes’ name and path on the compromised PC constantly, thus your antispyware could hardly keep up to detect and remove all the malicious codes.

 

I have no reason to doubt this info, as I ran the malwarebytes rootkit detection program, and my computer came up CLEAN!

 

I know there is something there, because I am blocked from accessing the malwarebytes website (I get redirected.)

 

The warning I get looks exactly like the one on the mitechmate website.

 

Help, please? I'm fairly good with tech stuff for an amateur (know how to do a system restore) but the instructions given on mitechmate for removal are totally beyond my ability.

 

This redirect ONLY occurs on the one website. Since I installed Malwarebytes, the redirect is blocked, and I get a warning instead. There is also another slightly different redirect with the address http://cldlr.com/?a=11453&c=56567&s1=&s2=rmx 


Edited by Sunsilver, 20 December 2013 - 02:50 PM.


BC AdBot (Login to Remove)

 


#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 20 December 2013 - 02:48 PM

Please download MINITOOLBOX and run it.

Checkmark following boxes:



Flush DNS
Reset FF proxy Settings
Reset Ie Proxy Settings
Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List Devices (problems only)



Click Go and post the result.

 

__________________________________________________-


Please Download the Norton Power Eraser.

https://security.symantec.com/nbrt/npe.aspx

Right Click NPE and run as Admin.

Go to advanced Options and perform a system scan.

Remove all it finds post the log here.

 

____________________________________________________________________-
Update and do a quick scan with Malwarebytes remove all that it finds and reboot.
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

Post the log here,

 

______________________________________________________________________-

Download tdss killer

http://support.kaspersky.com/downloads/utils/tdsskiller.exe


Right Click it Run As Admin xp users double click . Click on Change parameters Select TDLFS file system

Hit the Scan button Post the LOG In your next reply

Do not change the default options on scan results

_________________________________________________--

 

  • Please download Adware cleaner from the link below.
  • http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner
  • Save it to your desktop.
  • Right click run as admin.
  • Hit the scan button.
  • Allow completion.
  • Make sure all items are ticked.
  • Hit the clean button.
  • Even if no items are displayed to be ticked hit the clean button anyway.
  • The machine will reboot this is normal.
  • Post the log in your next reply.

_____________________________________________________________-

 

Please download JRT from here & double click to start the program.

  1. Hit any key when prompted and allow it to run through it's process.

    H2HaYv4.png
  2. Post the log when it's finished.


#3 Sunsilver

Sunsilver
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 December 2013 - 03:04 PM

Here's the log from the Toolbox scan:

 

MiniToolBox by Farbar  Version: 18-12-2013
Ran by Jane (administrator) on 20-12-2013 at 14:52:29
Running from "C:\Users\Jane\Downloads"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

 

========================= IP Configuration: ================================

Sierra Wireless HSPA Network Adapter = Mobile Broadband Connection (Connected)
Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Janes-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Mobile Broadband adapter Mobile Broadband Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Sierra Wireless HSPA Network Adapter
   Physical Address. . . . . . . . . : 00-A0-D5-FF-FF-AE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e558:cc6b:d6de:838b%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 25.111.248.192(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 64.71.255.205
   DHCPv6 IAID . . . . . . . . . . . : 234922197
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-2B-B3-4D-40-61-86-96-1D-8B
   DNS Servers . . . . . . . . . . . : 64.71.255.205
                                       64.71.255.253
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 40-61-86-96-1D-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:1495:4d3:e690:73f(Preferred)
   Link-local IPv6 Address . . . . . : fe80::1495:4d3:e690:73f%11(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{2C3AD644-AFA5-4D5C-A3B8-03FFD29B2050}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter #43
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:196f:f8c0::196f:f8c0(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 64.71.255.205
                                       64.71.255.253
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{7A97B044-27D0-42CA-BEB0-78B2B1B0E78A}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  dns.wp1.net.rogers.com
Address:  64.71.255.205

Name:    google.com
Addresses:  2607:f8b0:400b:80a::1005
   66.185.85.59
   66.185.85.35
   66.185.85.25
   66.185.85.40
   66.185.85.50
   66.185.85.29
   66.185.85.20
   66.185.85.44
   66.185.85.39
   66.185.85.54
   66.185.85.24
   66.185.85.34
   66.185.85.45
   66.185.85.30
   66.185.85.49
   66.185.85.55

Pinging google.com [24.156.153.29] with 32 bytes of data:
Reply from 24.156.153.29: bytes=32 time=535ms TTL=51
Reply from 24.156.153.29: bytes=32 time=413ms TTL=51

Ping statistics for 24.156.153.29:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 413ms, Maximum = 535ms, Average = 474ms
Server:  dns.wp1.net.rogers.com
Address:  64.71.255.205

Name:    yahoo.com
Addresses:  98.138.253.109
   206.190.36.45
   98.139.183.24

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=646ms TTL=42
Reply from 206.190.36.45: bytes=32 time=655ms TTL=42

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 646ms, Maximum = 655ms, Average = 650ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=10ms TTL=128
Reply from 127.0.0.1: bytes=32 time=4ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 10ms, Average = 7ms
===========================================================================
Interface List
 16...00 a0 d5 ff ff ae ......Sierra Wireless HSPA Network Adapter
 10...40 61 86 96 1d 8b ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #43
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    64.71.255.205   25.111.248.192     26
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11     58 2001::/32                On-link
 11    306 2001:0:9d38:6abd:1495:4d3:e690:73f/128
                                    On-link
 14   1030 2002::/16                On-link
 14    286 2002:196f:f8c0::196f:f8c0/128
                                    On-link
 11    306 fe80::/64                On-link
 11    306 fe80::1495:4d3:e690:73f/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134512] (Microsoft Corporation)
Catalog5 06 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134512] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 08 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/20/2013 09:32:30 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (12/20/2013 09:31:59 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (12/20/2013 09:30:45 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (12/20/2013 09:28:50 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.

Error: (12/20/2013 08:24:05 AM) (Source: HP Advisor) (User: )
Description: Timestamp: 12/20/2013 08:24:05.526;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [2432];
Message: Application::OnStartup() failed !!!, shutdown application... ;
EventId: 400;
Severity: Critical;
Machine: JANES-PC;
Application Domain: HPAdvisor.exe;
Process Id: 2412;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (12/20/2013 08:24:05 AM) (Source: HP Advisor) (User: )
Description: Timestamp: 12/20/2013 08:24:05.526;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [2432];
Message: InitPillarManager() failed !!!;
EventId: 400;
Severity: Critical;
Machine: JANES-PC;
Application Domain: HPAdvisor.exe;
Process Id: 2412;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (12/20/2013 00:21:57 AM) (Source: HP Advisor) (User: )
Description: Timestamp: 12/20/2013 00:21:57.888;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [4032];
Message: Application::OnStartup() failed !!!, shutdown application... ;
EventId: 400;
Severity: Critical;
Machine: JANES-PC;
Application Domain: HPAdvisor.exe;
Process Id: 4036;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (12/20/2013 00:21:57 AM) (Source: HP Advisor) (User: )
Description: Timestamp: 12/20/2013 00:21:57.878;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [4032];
Message: InitPillarManager() failed !!!;
EventId: 400;
Severity: Critical;
Machine: JANES-PC;
Application Domain: HPAdvisor.exe;
Process Id: 4036;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (12/19/2013 10:47:23 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error: (12/19/2013 10:46:44 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

System errors:
=============
Error: (12/20/2013 08:24:36 AM) (Source: Service Control Manager) (User: )
Description: The SwiProcMonitorDrv process creation. service failed to start due to the following error:
%%577

Error: (12/20/2013 00:41:40 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (12/20/2013 00:22:38 AM) (Source: Service Control Manager) (User: )
Description: The SwiProcMonitorDrv process creation. service failed to start due to the following error:
%%577

Error: (12/20/2013 00:20:05 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (12/19/2013 07:58:19 AM) (Source: Service Control Manager) (User: )
Description: The SwiProcMonitorDrv process creation. service failed to start due to the following error:
%%577

Error: (12/19/2013 02:43:04 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (12/19/2013 02:42:39 AM) (Source: DCOM) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

Error: (12/19/2013 01:03:06 AM) (Source: Service Control Manager) (User: )
Description: The SwiProcMonitorDrv process creation. service failed to start due to the following error:
%%577

Error: (12/19/2013 00:16:49 AM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (12/18/2013 08:50:41 PM) (Source: Service Control Manager) (User: )
Description: The SwiProcMonitorDrv process creation. service failed to start due to the following error:
%%577

Microsoft Office Sessions:
=========================
Error: (12/20/2013 09:32:30 AM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*c:\program files (x86)\spybot - search & destroy\DelZip179.dllc:\program files (x86)\spybot - search & destroy\DelZip179.dll8

Error: (12/20/2013 09:31:59 AM) (Source: SideBySide)(User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"c:\program files (x86)\windows live\photo gallery\MovieMaker.Exec:\program files (x86)\windows live\photo gallery\WLMFDS.DLL8

Error: (12/20/2013 09:30:45 AM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (12/20/2013 09:28:50 AM) (Source: SideBySide)(User: )
Description: C:\Program Files\WinZip\adxloader.dll.ManifestC:\Program Files\WinZip\adxloader.dll.Manifest2

Error: (12/20/2013 08:24:05 AM) (Source: HP Advisor)(User: )
Description: Timestamp: 12/20/2013 08:24:05.526;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [2432];
Message: Application::OnStartup() failed !!!, shutdown application... ;
EventId: 400;
Severity: Critical;
Machine: JANES-PC;
Application Domain: HPAdvisor.exe;
Process Id: 2412;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (12/20/2013 08:24:05 AM) (Source: HP Advisor)(User: )
Description: Timestamp: 12/20/2013 08:24:05.526;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [2432];
Message: InitPillarManager() failed !!!;
EventId: 400;
Severity: Critical;
Machine: JANES-PC;
Application Domain: HPAdvisor.exe;
Process Id: 2412;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (12/20/2013 00:21:57 AM) (Source: HP Advisor)(User: )
Description: Timestamp: 12/20/2013 00:21:57.888;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [4032];
Message: Application::OnStartup() failed !!!, shutdown application... ;
EventId: 400;
Severity: Critical;
Machine: JANES-PC;
Application Domain: HPAdvisor.exe;
Process Id: 4036;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (12/20/2013 00:21:57 AM) (Source: HP Advisor)(User: )
Description: Timestamp: 12/20/2013 00:21:57.878;
Category: FATAL;
Priority:(4);
Win32 Thread Id: [4032];
Message: InitPillarManager() failed !!!;
EventId: 400;
Severity: Critical;
Machine: JANES-PC;
Application Domain: HPAdvisor.exe;
Process Id: 4036;
Process Name: C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe;
Extended Properties:

Error: (12/19/2013 10:47:23 AM) (Source: SideBySide)(User: )
Description: assemblyIdentitylanguage*c:\program files (x86)\spybot - search & destroy\DelZip179.dllc:\program files (x86)\spybot - search & destroy\DelZip179.dll8

Error: (12/19/2013 10:46:44 AM) (Source: SideBySide)(User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"c:\program files (x86)\windows live\photo gallery\MovieMaker.Exec:\program files (x86)\windows live\photo gallery\WLMFDS.DLL8

CodeIntegrity Errors:
===================================
  Date: 2013-12-20 08:24:36.921
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-20 08:24:36.827
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-20 00:22:38.835
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-20 00:22:38.757
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-19 07:58:18.664
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-19 07:58:18.570
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-19 01:03:06.702
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-19 01:03:06.593
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-18 20:50:40.264
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-12-18 20:50:40.186
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Sierra Wireless Inc\Common\SwiProcMonitorDrv64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

=========================== Installed Programs ============================

Acrobat.com (Version: 2.0.0)
Acrobat.com (Version: 2.0.0.0)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.3)
Ad-Aware
Ad-Aware (Version: 8.0.0)
Adobe AIR (Version: 1.5.3.9130)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.170)
Adobe Reader X (10.1.8) (Version: 10.1.8)
Amazon Kindle
ATI Catalyst Install Manager (Version: 3.0.741.0)
AVG 2014 (Version: 14.0.3658)
AVG 2014 (Version: 14.0.4259)
AVG 2014 (Version: 2014.0.4259)
BOINC (Version: 6.10.18)
Canon MP Navigator EX 2.1
Canon MX320 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Full Existing (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Full New (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Light (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Previews Common (Version: 2009.0908.2225.38429)
Catalyst Control Center Graphics Previews Vista (Version: 2009.0908.2225.38429)
Catalyst Control Center HydraVision Full (Version: 2009.0908.2225.38429)
Catalyst Control Center InstallProxy (Version: 2009.0908.2225.38429)
Catalyst Control Center Localization All (Version: 2009.0908.2225.38429)
CCC Help Chinese Standard (Version: 2009.0908.2224.38429)
CCC Help Chinese Traditional (Version: 2009.0908.2224.38429)
CCC Help Czech (Version: 2009.0908.2224.38429)
CCC Help Danish (Version: 2009.0908.2224.38429)
CCC Help Dutch (Version: 2009.0908.2224.38429)
CCC Help English (Version: 2009.0908.2224.38429)
CCC Help Finnish (Version: 2009.0908.2224.38429)
CCC Help French (Version: 2009.0908.2224.38429)
CCC Help German (Version: 2009.0908.2224.38429)
CCC Help Greek (Version: 2009.0908.2224.38429)
CCC Help Hungarian (Version: 2009.0908.2224.38429)
CCC Help Italian (Version: 2009.0908.2224.38429)
CCC Help Japanese (Version: 2009.0908.2224.38429)
CCC Help Korean (Version: 2009.0908.2224.38429)
CCC Help Norwegian (Version: 2009.0908.2224.38429)
CCC Help Polish (Version: 2009.0908.2224.38429)
CCC Help Portuguese (Version: 2009.0908.2224.38429)
CCC Help Russian (Version: 2009.0908.2224.38429)
CCC Help Spanish (Version: 2009.0908.2224.38429)
CCC Help Swedish (Version: 2009.0908.2224.38429)
CCC Help Thai (Version: 2009.0908.2224.38429)
CCC Help Turkish (Version: 2009.0908.2224.38429)
ccc-core-static (Version: 2009.0908.2225.38429)
ccc-utility64 (Version: 2009.0908.2225.38429)
CCleaner (Version: 4.03)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
DirectX for Managed Code Update (Summer 2004) (Version: 9.02.2904)
DVD Menu Pack for HP MediaSmart Video (Version: 3.1.3224)
Google Chrome (Version: 31.0.1650.63)
Google Earth (Version: 7.1.2.2041)
Google Update Helper (Version: 1.3.22.3)
Hardware Diagnostic Tools (Version: 6.0.5247.34)
HP Advisor (Version: 3.3.9512.3162)
HP Customer Experience Enhancements (Version: 6.0.1.3)
HP Games (Version: 1.0.0.71)
HP MediaSmart DVD (Version: 3.1.3317)
HP MediaSmart Music/Photo/Video (Version: 3.1.3422)
HP MediaSmart SmartMenu (Version: 3.1.0.1)
HP Odometer (Version: 2.10.0000)
HP Remote Solution (Version: 1.1.11.0)
HP Setup (Version: 1.2.3560.3170)
HP Support Assistant (Version: 5.1.10.7)
HP Support Information (Version: 10.1.0002)
HP Update (Version: 5.003.001.001)
HPAsset component for HP Active Support Library (Version: 3.0.2.2)
HydraVision (Version: 4.2.116.0)
Intel® Rapid Storage Technology (Version: 9.5.0.1037)
Java 7 Update 45 (Version: 7.0.450)
Java Auto Updater (Version: 2.1.9.8)
Junk Mail filter update (Version: 14.0.8089.726)
LabelPrint (Version: 2.5.2017)
LightScribe System Software (Version: 1.18.8.1)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Live Search Toolbar (Version: 3.0.566.0)
Microsoft Office 2003 Primary Interop Assemblies (Version: 11.0.6553.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Live Add-in 1.5 (Version: 2.0.4024.1)
Microsoft Office Outlook Connector (Version: 12.0.6423.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Standard Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Microsoft Works (Version: 9.7.0621)
Microsoft Works 6-9 Converter (Version: 14.0.6120.5002)
mIRC (Version: 7.25)
Movie Theme Pack for HP MediaSmart Video (Version: 3.1.3310)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
MySQL Connector/ODBC 3.51 (Version: 3.51.19)
Palm Desktop by ACCESS (Version: 6.4.0.0)
PlayReady PC Runtime amd64 (Version: 1.3.0)
QuickBooks (Version: 20.0.4004.2001)
QuickBooks Pro 2011 (Version: 20.0.4004.2001)
Realtek High Definition Audio Driver (Version: 6.0.1.6196)
Recovery Manager (Version: 5.5.2216)
Rogers Connection Manager (Version: 6.0.3321.5603)
Second Nature - Second Nature - Natural Beauty by Kevin McNeal (Version: 4.47)
Simply Accounting by Sage 2010 (Version: 17.13.0002)
Small Business Forms (Version: 09-1)
Spybot - Search & Destroy (Version: 1.6.0)
SupportSoft Assisted Service (Version: 15)
Update Installer for WildTangent Games App
Visual C++ 8.0 Runtime Setup Package (x64) (Version: 9.0.0.623)
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
Visual Studio 2010 x64 Redistributables (Version: 13.0.0.1)
Visual Studio 2012 x64 Redistributables (Version: 14.0.0.1)
Visual Studio 2012 x86 Redistributables (Version: 14.0.0.1)
WildTangent Games App (HP Games) (Version: 4.0.10.17)
Windows Live Call (Version: 14.0.8064.0206)
Windows Live Communications Platform (Version: 14.0.8098.930)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live ID Sign-in Assistant (Version: 6.500.3146.0)
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Messenger (Version: 14.0.8089.0726)
Windows Live Movie Maker (Version: 14.0.8091.0730)
Windows Live Photo Gallery (Version: 14.0.8081.709)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8089.0726)
WinZip 17.5 (Version: 17.5.10480)
Yahoo! Messenger

========================= Devices: ================================

Name: I:\
Description: MS/MS-Pro      
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Generic-
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

Name: F:\
Description: SD/MMC         
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Generic-
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

Name: H:\
Description: SM/xD-Picture  
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Generic-
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

Name: J:\
Description: SD Card        
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: SWI    
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

========================= Memory info: ===================================

Percentage of memory in use: 71%
Total physical RAM: 3959.08 MB
Available physical RAM: 1127.38 MB
Total Pagefile: 7916.34 MB
Available Pagefile: 4780.57 MB
Total Virtual: 4095.88 MB
Available Virtual: 3968.53 MB

========================= Partitions: =====================================

1 Drive c: (HP) (Fixed) (Total:584.82 GB) (Free:531.5 GB) NTFS
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:11.25 GB) (Free:1.61 GB) NTFS
3 Drive e: (SC_FORMS_KIT_091) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\JANES-PC

Administrator            Guest                    Jane                    

**** End of log ****



#4 Sunsilver

Sunsilver
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 December 2013 - 03:10 PM

Geez, I sure don't like the sound of some of the above: fatal, critical does NOT sound good!

 

I forgot to add that AFTER this problem popped up, I went to a music download site, tried to download a file and got hit with a boatload of malware. I have now filed that action under the iist of things to NEVER EVER do again! :nono:

 

I did a sysrestore, which SEEMED to cure most of the problems, but from what I've read today, it would not surprise me to find there's still a few lurking.


Edited by Sunsilver, 20 December 2013 - 03:18 PM.


#5 Sunsilver

Sunsilver
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 December 2013 - 03:21 PM

Norton scan came up clean. Running a full scan with Malwarebytes.



#6 Sunsilver

Sunsilver
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 December 2013 - 06:39 PM

Okay, my computer hung up on rebooting, and I had to do a hard shutdown by holding down the power button. Will this affect the deletion of any of the malware?

 

It happened because I didn't manually close my internet connection. It sometimes hangs up like this if I forget.

 

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.20.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Jane :: JANES-PC [administrator]

Protection: Enabled

20/12/2013 5:21:04 PM
mbam-log-2013-12-20 (17-21-04).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 395749
Time elapsed: 1 hour(s), 3 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\Jane\AppData\Local\TBHostSupport\TBHostSupport.dll (PUP.Optional.Conduit) -> Delete on reboot.

Registry Keys Detected: 2
HKCR\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} (PUP.Optional.Conduit) -> Quarantined and deleted successfully.
HKCU\Software\Conduit\ValueApps (PUP.Optional.ValueApps.A) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|TBHostSupport (PUP.Optional.Conduit) -> Data: "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Jane\AppData\Local\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\Users\Jane\AppData\Local\Temp\CT3319612 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\TBHostSupport (PUP.Optional.Conduit) -> Delete on reboot.
C:\Users\Jane\AppData\Local\VisualBeeExe (PUP.Optional.Visualbee) -> Quarantined and deleted successfully.

Files Detected: 11
C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll (PUP.Optional.Conduit) -> Quarantined and deleted successfully.
C:\ProgramData\VisualBee\VisualBeeSoftware.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\Temp\awhFF1.tmp (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\Temp\mMamStub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\Temp\nsc3383.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\Temp\nsc541F.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\Temp\nsm2FCA.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\Temp\nsnF6B1.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\Temp\nss5086.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\Temp\CT3319612\ddt.csf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Jane\AppData\Local\TBHostSupport\TBHostSupport.dll (PUP.Optional.Conduit) -> Delete on reboot.

(end)


Edited by Sunsilver, 20 December 2013 - 06:41 PM.


#7 Sunsilver

Sunsilver
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 December 2013 - 06:45 PM

TDSS killer found nothing.



#8 Sunsilver

Sunsilver
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 21 December 2013 - 12:08 AM

Here's the log for the Adware cleaner. I did uncheck a few items from trusted sources.

 

# AdwCleaner v3.015 - Report created 21/12/2013 at 00:03:05
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Jane - JANES-PC
# Running from : C:\Users\Jane\Downloads\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : vToolbarUpdater17.0.12

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Nation toolbar
Folder Deleted : C:\ProgramData\ParetoLogic
Folder Deleted : C:\ProgramData\VisualBee
Folder Deleted : C:\Program Files (x86)\AVG Nation toolbar
Folder Deleted : C:\Program Files (x86)\Conduit
[x] Not Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Users\Jane\AppData\Local\AVG Nation toolbar
[x] Not Deleted : C:\Users\Jane\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Jane\AppData\Local\Conduit
Folder Deleted : C:\Users\Jane\AppData\Local\NativeMessaging
Folder Deleted : C:\Users\Jane\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\Jane\AppData\Local\WhiteListing
Folder Deleted : C:\Users\Jane\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Jane\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Jane\AppData\Roaming\DriverCure
Folder Deleted : C:\Users\Jane\AppData\Roaming\goforfiles
Folder Deleted : C:\Users\Jane\AppData\Roaming\ParetoLogic
Folder Deleted : C:\Users\Jane\AppData\Roaming\Mozilla\Firefox\Profiles\uy0md3br.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Deleted : C:\Users\Jane\AppData\Local\Google\Chrome\User Data\Default\Extensions\hllhlhdmmmpbclddmhffaghecjaklneo
[!] Folder Deleted : C:\Users\Jane\AppData\Local\Google\Chrome\User Data\Default\Extensions\hllhlhdmmmpbclddmhffaghecjaklneo
File Deleted : C:\END
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Windows\SysWOW64\p5PSSavr.scr
File Deleted : C:\Users\Jane\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Jane\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage
File Deleted : C:\Users\Jane\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_app.mam.conduit.com_0.localstorage-journal

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Deleted : HKCU\Software\Google\Chrome\Extensions\hllhlhdmmmpbclddmhffaghecjaklneo
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\hllhlhdmmmpbclddmhffaghecjaklneo
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
[x] Not Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3287803
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{17B10E59-09E1-4C39-A738-6774D7AB7778}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1AD2049E-E483-4425-8555-8E0775ACB631}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2D73F2D0-2FAB-458E-977D-2F9050E0ED60}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2D9083CE-8758-4704-BA57-3C891D7452BD}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3E9469AF-E866-4476-B767-810630F1F6E7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{47700C35-9E3E-4DAD-934C-0CE28A87237C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{716E443D-7CAA-44F1-866B-F45D00E712CC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{72063D77-7590-4DA9-A7F8-F5ECAF3632C4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{7FC87AC5-FA93-476E-A32C-A941229DED0B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A73204A3-4E2A-4924-95DA-D5DF58717368}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B5DB5A94-1E55-4E2E-AA50-49C8C8215D56}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\AVG Nation toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\visualbee
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\AVG Nation toolbar
[x] Not Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\ParetoLogic
Key Deleted : HKLM\Software\visualbee

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720

-\\ Mozilla Firefox v

[ File : C:\Users\Jane\AppData\Roaming\Mozilla\Firefox\Profiles\uy0md3br.default\prefs.js ]

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Jane\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : icon_url
Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [9503 octets] - [20/12/2013 23:29:41]
AdwCleaner[S0].txt - [8886 octets] - [21/12/2013 00:03:05]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [8946 octets] ##########



#9 Sunsilver

Sunsilver
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 21 December 2013 - 12:27 AM

JRT log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by Jane on 21/12/2013 at  0:09:44.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\msntask_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\msntask_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mconduitinstaller_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mconduitinstaller_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\msntask_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\msntask_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\mconduitinstaller_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\mconduitinstaller_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Jane\appdata\local\cre"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 21/12/2013 at  0:25:47.43
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#10 Sunsilver

Sunsilver
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 21 December 2013 - 10:00 AM

And the little perisher is still there. When I clicked on http://www.pedigreedatabase.com/forum.html, the webpage came up as usual, then as soon as I clicked on a thread, I got the redirect.

 

So, so far the only things this virus has done (that I'm aware of, God only knows what it's doing to my computer behind the screen) is:

 

1) cause the Java redirect,

 

2) cause a redirect when I tried to go from http://shilohshepherds.infopop.cc/eve/forums/a/frm/f/299608064 (a members-only forum) to their home page, http://www.shilohshepherds.org/. The home page popped up for a second, then I was redirected to another dog related site.

 

3) It has blocked me from visiting the malwarebytes website. This morning when I tried it, I was redirected to a site selling cell phones. When I tried the Shiloh site, I was not redirected (not THIS time, anyway!)

 

Um, anyone get the idea I'm very fond of dogs? :whistle:

 

Seems it is only able to exploit websites with specific vulnerabilities.


Edited by Sunsilver, 21 December 2013 - 10:05 AM.


#11 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 22 December 2013 - 03:26 AM

I would like you to run a full scan with Norman malware cleaner a log will be produced on your desktop when done please post it here.

 

http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe

 

 


Download Security Check by screen317 from here.


  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Download Autoruns and Autorunsc Unzip it to your desktop and then double click autoruns.exe After the scan is finished then click on File>>>>>>>>>>>Save The default name will be autoruns.arn make sure to save it as Autoruns.txt under the file type option. in other words make sure it is a .txt file instead of .arn Attach the text in your next reply.

 

 

Download, & save & then run the MS Safety scanner
Run a Full Scan
http://www.microsoft.com/security/scanner/en-us/default.aspx
Post. the result.

The safety scanner log should be called msert.txt
It should be located in the same folder as where you had msert.exe
If not there, then look for it under c:\windows

 

 

 

____________________________________________-

 

Run a scan with Eset. You will need to disable your antivirus during this scan.
http://www.eset.com/us/online-scanner/
Make sure remove found threats and scan archives is checked.
When the scan finish list found threats save to clipboard copy to notepad Post the log here.



#12 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 22 December 2013 - 04:45 AM

Also I would un install the items below.

 

Spybot - Search & Destroy (Version: 1.6.0)

Ad-Aware (Version: 8.0.0)

 

 

Install firefox.

https://www.mozilla.org/en-US/firefox/all/

Import the bookmaeks and settings from chrome.

Un install Chrome

Reboot the machine.

Re install Chrome.

https://www.google.com/intl/en/chrome/browser

Import the settings back from firefox.

 

Reset your hosts file.

http://support.microsoft.com/kb/972034

 

Reset internet explorer.

http://support.microsoft.com/kb/923737


Edited by InadequateInfirmity, 22 December 2013 - 04:45 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users