Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gen- Ponmocup


  • Please log in to reply
10 replies to this topic

#1 coralys

coralys

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 29 December 2013 - 11:14 AM

Hi Everyone,

 

I have a problem with a trojan. I must tell you that I am not really computer literate. But I realised that my computer was working with difficulty, I started having pop ups when I tried to access a window in different internet sites, etc. Ran a c cleaner with no luck. A friend sugested to download superantipsyware and do a scan. It showed a trojan Gen - Ponmocup. But neither the antispy nor the malwarebyte which I hace ran have done anything.

 

Can you help me get rid of it? 

 

Thank you and please be patient.

 

Coralys



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:45 AM

Posted 29 December 2013 - 02:32 PM

Hello coralys

What did SAS say it did with it?


Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
.
.
.
ADW Cleaner

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • .
    .
    .

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    .
    .
    .
    .
    • Last run ESET.
      • Hold down Control and click on this link to open ESET OnlineScan in a new window.
      • Click the esetonlinebtn.png button.
      • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the esetsmartinstaller_enu.png icon on your desktop.
      • Check "YES, I accept the Terms of Use."
      • Click the Start button.
      • Accept any security warnings from your browser.
      • Under scan settings, check "Scan Archives" and "Remove found threats"
      • Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology
      • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      • When the scan completes, click List Threats
      • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      • Click the Back button.
      • Click the Finish button.
      • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 coralys

coralys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 30 December 2013 - 06:17 PM

Hi,

 

thank you for your answer. Could not do anything before as we have been having some really bad power cuts. I am in Buenos Aires, Argentina and due to the heat wave the electric supply is suffering. Hell, I am suffering.

 

Dowloded what you suggested. Can't get the JRT to work, though. It goes until it says "starting ...hit any key to continue" and then it gets stuck. I distinsalled it and re install it but it does no different.

 

Did run the other programs.

 

The ASA says . Trojan agent- Gen- Ponmocup,  when I click on it it says ( i guess it means where it is housed ?) windows\sytem 32\CMDL32.ZDLL 

 

 

I am not sure I got this right but I understood you wanted me to post the result of the MiniToolbox?

 

 

In case here it goes:

 

 

 

MiniToolBox by Farbar  Version: 18-12-2013

Ran by benditacora (administrator) on 29-12-2013 at 20:25:16

Running from "C:\Users\benditacora\Downloads"

Microsoft Windows 7 Ultimate  Service Pack 1 (X86)

Boot Mode: Normal

***************************************************************************

 

========================= Flush DNS: ===================================

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

 

========================= IE Proxy Settings: ==============================

 

Proxy is not enabled.

No Proxy Server is set.

 

"Reset IE Proxy Settings": IE Proxy Settings were reset.

 

========================= FF Proxy Settings: ==============================

 

 

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

 

========================= Hosts content: =================================

 

 

 

========================= IP Configuration: ================================

 

Realtek PCIe FE Family Controller = Local Area Connection (Connected)

 

 

# ----------------------------------

# IPv4 Configuration

# ----------------------------------

pushd interface ipv4

 

reset

set global icmpredirects=enabled

 

 

popd

# End of IPv4 configuration

 

 

 

Windows IP Configuration

 

   Host Name . . . . . . . . . . . . : Heathcliff

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

 

Ethernet adapter Local Area Connection:

 

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller

   Physical Address. . . . . . . . . : E0-69-95-E4-3A-0F

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::a8de:6cd3:f352:336%10(Preferred)

   IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : domingo, 29 de diciembre de 2013 08:18:24 p.m.

   Lease Expires . . . . . . . . . . : lunes, 30 de diciembre de 2013 08:18:24 p.m.

   Default Gateway . . . . . . . . . : 192.168.1.1

   DHCP Server . . . . . . . . . . . : 192.168.1.1

   DHCPv6 IAID . . . . . . . . . . . : 249588117

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-C9-6A-6D-E0-69-95-E4-3A-0F

   DNS Servers . . . . . . . . . . . : 192.168.1.1

   Primary WINS Server . . . . . . . : 192.168.1.1

   Secondary WINS Server . . . . . . : 192.168.1.1

   NetBIOS over Tcpip. . . . . . . . : Enabled

 

Tunnel adapter isatap.{0B2AEF42-A6D4-4E19-B623-C37E29FB68CB}:

 

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

 

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:187a:142d:4118:85bc(Preferred)

   Link-local IPv6 Address . . . . . : fe80::187a:142d:4118:85bc%12(Preferred)

   Default Gateway . . . . . . . . . : ::

   NetBIOS over Tcpip. . . . . . . . : Disabled

Server:  UnKnown

Address:  192.168.1.1

 

Name:    google.com

Addresses:  2800:3f0:4002:801::1005

                  173.194.42.40

                  173.194.42.33

                  173.194.42.37

                  173.194.42.41

                  173.194.42.36

                  173.194.42.35

                  173.194.42.46

                  173.194.42.39

                  173.194.42.34

                  173.194.42.38

                  173.194.42.32

 

 

Pinging google.com [173.194.42.32] with 32 bytes of data:

Reply from 173.194.42.32: bytes=32 time=13ms TTL=57

Reply from 173.194.42.32: bytes=32 time=33ms TTL=57

 

Ping statistics for 173.194.42.32:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 13ms, Maximum = 33ms, Average = 23ms

Server:  UnKnown

Address:  192.168.1.1

 

Name:    yahoo.com

Addresses:  206.190.36.45

                  98.138.253.109

                  98.139.183.24

 

 

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:

Reply from 98.139.183.24: bytes=32 time=213ms TTL=52

Reply from 98.139.183.24: bytes=32 time=237ms TTL=52

 

Ping statistics for 98.139.183.24:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 213ms, Maximum = 237ms, Average = 225ms

 

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time=16ms TTL=128

Reply from 127.0.0.1: bytes=32 time=6ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 6ms, Maximum = 16ms, Average = 11ms

===========================================================================

Interface List

 10...e0 69 95 e4 3a 0f ......Realtek PCIe FE Family Controller

  1...........................Software Loopback Interface 1

 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

===========================================================================

 

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     20

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.1.0    255.255.255.0         On-link       192.168.1.3    276

      192.168.1.3  255.255.255.255         On-link       192.168.1.3    276

    192.168.1.255  255.255.255.255         On-link       192.168.1.3    276

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       192.168.1.3    276

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       192.168.1.3    276

===========================================================================

Persistent Routes:

  None

 

IPv6 Route Table

===========================================================================

Active Routes:

 If Metric Network Destination      Gateway

 12     58 ::/0                     On-link

  1    306 ::1/128                  On-link

 12     58 2001::/32                On-link

 12    306 2001:0:9d38:6ab8:187a:142d:4118:85bc/128

                                    On-link

 10    276 fe80::/64                On-link

 12    306 fe80::/64                On-link

 12    306 fe80::187a:142d:4118:85bc/128

                                    On-link

 10    276 fe80::a8de:6cd3:f352:336/128

                                    On-link

  1    306 ff00::/8                 On-link

 12    306 ff00::/8                 On-link

 10    276 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

========================= Winsock entries =====================================

 

Catalog5 01 C:\Windows\system32\NLAapi.dll [52224] (Microsoft Corporation)

Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)

Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)

Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)

Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Catalog5 06 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog5 07 C:\Windows\system32\winrnr.dll [20992] (Microsoft Corporation)

Catalog9 01 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 02 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 03 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 04 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 05 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 06 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 07 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 08 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 09 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 10 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 11 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 12 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 13 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 14 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 15 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 16 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 17 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 18 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

 

========================= Event log errors: ===============================

 

Application errors:

==================

Error: (12/29/2013 06:52:18 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 4087

 

Error: (12/29/2013 06:52:18 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 4087

 

Error: (12/29/2013 06:52:18 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (12/29/2013 06:52:17 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 3073

 

Error: (12/29/2013 06:52:17 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 3073

 

Error: (12/29/2013 06:52:17 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (12/29/2013 06:52:16 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 2044

 

Error: (12/29/2013 06:52:16 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 2044

 

Error: (12/29/2013 06:52:16 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (12/29/2013 06:52:15 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 1045

 

 

System errors:

=============

Error: (12/29/2013 08:18:28 PM) (Source: Service Control Manager) (User: )

Description: The Spybot-S&D 2 Security Center Service service depends on the Security Center service which failed to start because of the following error:

%%1058

 

Error: (12/29/2013 08:18:22 PM) (Source: atikmdag) (User: )

Description: Display is not active

 

Error: (12/29/2013 08:18:22 PM) (Source: atikmdag) (User: )

Description: CPLIB :: General - Invalid Parameter

 

Error: (12/29/2013 08:17:29 PM) (Source: DCOM) (User: )

Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

 

Error: (12/29/2013 06:57:37 PM) (Source: bowser) (User: )

Description: The master browser has received a server announcement from the computer ITZAK-PC

that believes that it is the master browser for the domain on transport NetBT_Tcpip_{0B2AEF42-A6D4-4E19-B623-C37E29FB6.

The master browser is stopping or an election is being forced.

 

Error: (12/29/2013 06:52:36 PM) (Source: atikmdag) (User: )

Description: Display is not active

 

Error: (12/29/2013 06:33:33 PM) (Source: bowser) (User: )

Description: The master browser has received a server announcement from the computer ITZAK-PC

that believes that it is the master browser for the domain on transport NetBT_Tcpip_{0B2AEF42-A6D4-4E19-B623-C37E29FB6.

The master browser is stopping or an election is being forced.

 

Error: (12/29/2013 06:22:19 PM) (Source: atikmdag) (User: )

Description: Display is not active

 

Error: (12/29/2013 05:21:32 PM) (Source: bowser) (User: )

Description: The master browser has received a server announcement from the computer ITZAK-PC

that believes that it is the master browser for the domain on transport NetBT_Tcpip_{0B2AEF42-A6D4-4E19-B623-C37E29FB6.

The master browser is stopping or an election is being forced.

 

Error: (12/29/2013 05:17:41 PM) (Source: Service Control Manager) (User: )

Description: The Spybot-S&D 2 Security Center Service service depends on the Security Center service which failed to start because of the following error:

%%1058

 

 

Microsoft Office Sessions:

=========================

Error: (12/24/2013 02:50:36 PM) (Source: Microsoft Office 12 Sessions)(User: )

Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 8099 seconds with 60 seconds of active time.  This session ended with a crash.

 

Error: (12/01/2013 06:34:42 PM) (Source: Microsoft Office 12 Sessions)(User: )

Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 41670 seconds with 5160 seconds of active time.  This session ended with a crash.

 

 

CodeIntegrity Errors:

===================================

  Date: 2013-12-29 18:55:09.062

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 17:16:28.002

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 16:47:40.659

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 15:53:11.983

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 15:08:28.036

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 14:20:25.148

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 14:01:17.044

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 13:02:21.012

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 12:39:37.079

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2013-12-29 12:19:58.503

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

 

 

=========================== Installed Programs ============================

 

ABBYY FineReader 6.0 Sprint (Version: 6.00.1395.4512)

Adobe Flash Player 11 ActiveX (Version: 11.9.900.170)

Adobe Flash Player 11 Plugin (Version: 11.9.900.170)

Adobe Reader XI (11.0.05) - Français (Version: 11.0.05)

Adobe Shockwave Player 12.0 (Version: 12.0.5.146)

Apple Mobile Device Support (Version: 6.1.0.13)

Apple Software Update (Version: 2.1.3.127)

Ares 2.2.5 (Version: 2.2.5-Build#3049)

aTube Catcher (Version: 2.9.1448)

avast! Free Antivirus (Version: 9.0.2011)

BCL easyConverter Desktop 3 (Word Version) (Version: 3.0.18)

Bonjour (Version: 3.0.0.10)

CCleaner (Version: 4.09)

Compatibilidad con Aplicaciones de Apple (Version: 2.3.3)

Corel MediaOne (Version: 2.00.0000)

eMule Plus 1.2e

Epson Event Manager (Version: 2.30.01)

EPSON Scan

EPSON TX210 Series Printer Uninstall

Google Chrome (Version: 31.0.1650.63)

Google Earth Plug-in (Version: 7.1.2.2041)

Google Update Helper (Version: 1.3.22.3)

iTunes (Version: 11.0.2.26)

Java 7 Update 45 (Version: 7.0.450)

Java Auto Updater (Version: 2.1.9.8)

Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)

Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)

Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Enterprise 2007 (Version: 12.0.4518.1014)

Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Groove MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014)

Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014)

Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)

Mozilla Firefox 26.0 (x86 es-ES) (Version: 26.0)

Mozilla Maintenance Service (Version: 26.0)

MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)

MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)

QuickTime (Version: 7.73.80.64)

QuickTime Converter 2.1

Skype Click to Call (Version: 6.12.13601)

Skype™ 6.10 (Version: 6.10.104)

Spybot - Search & Destroy (Version: 2.1.21)

SUPERAntiSpyware (Version: 5.7.1016)

swMSM (Version: 12.0.0.1)

VLC media player 2.0.6 (Version: 2.0.6)

WinRAR 4.20 (32-bit) (Version: 4.20.0)

XMind 2012 (v3.3.1) (Version: 3.3.1.201212250029)

Zona Creativa

 

========================= Memory info: ===================================

 

Percentage of memory in use: 65%

Total physical RAM: 1791.3 MB

Available physical RAM: 621.32 MB

Total Pagefile: 3582.61 MB

Available Pagefile: 1970.04 MB

Total Virtual: 2047.88 MB

Available Virtual: 1934.88 MB

 

========================= Partitions: =====================================

 

1 Drive c: () (Fixed) (Total:107.62 GB) (Free:11.11 GB) NTFS

2 Drive d: () (Fixed) (Total:346.68 GB) (Free:346.55 GB) NTFS

3 Drive e: (HP_RECOVERY) (Fixed) (Total:11.37 GB) (Free:1.36 GB) NTFS

 

========================= Users: ========================================

 

User accounts for \\HEATHCLIFF

 

Administrator            benditacora              Guest                   

 

 

**** End of l



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:45 AM

Posted 30 December 2013 - 07:14 PM

Wow we are at opposite ends of the world it's -6.66 C. here.

I meant did SAS remove the infection or leave it?

Please post ALL logs..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 coralys

coralys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 30 December 2013 - 08:07 PM

Hi,

 

God how I envy you. We just hit 40.3 C this afternoon with a 60% humidity. 

 

SAS sees it but leaves it.

 

I ran it again after all you told me to do and it is still there. I do not know how much it can mess up with my computer but I keep having problems, gmail won't open correctly, or if I open 3 o 4 sites with Crome or Mozilla the whole thing crashes.

 

I think I will spend the new year inside and  just re install windows. Unless you have a better idea.

 

Thank you so much and happy holidays



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:45 AM

Posted 30 December 2013 - 08:13 PM

Run the ADWcleaner and ESET and post those logs.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 coralys

coralys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 05 January 2014 - 03:07 PM

Hi,

 

Here is the Adw3 report. It found nothing, neither did the esets. But it is still going slow and keeps getting crashing. I am really fed up. I am thinking that the simplest will be to format the disk and re-insatll windows and the other programs.  I have several doubts.

 

Is it possible that in what I save of  my PDF, Word docs and pictures the trojan will be there and  then re copy itself into my new istallation? 

 

This computer was given to me and it has no partition.If when I reistall window I am thinking of partioning the disk and creating a partion for my documents and another for windows and another for other program,s will that mean that if  one partion gets infected the other partitions will be protected? And I will not have to reinsatll everything?

 

 

here goes the adw3 log

 

# AdwCleaner v3.016 - Report created 05/01/2014 at 13:47:35

# Updated 23/12/2013 by Xplode

# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)

# Username : benditacora - HEATHCLIFF

# Running from : C:\Users\benditacora\Downloads\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.16428

 

 

-\\ Mozilla Firefox v26.0 (es-ES)

 

[ File : C:\Users\benditacora\AppData\Roaming\Mozilla\Firefox\Profiles\jx3fl810.default\prefs.js ]

 

 

-\\ Google Chrome v31.0.1650.63

 

[ File : C:\Users\benditacora\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [13427 octets] - [29/12/2013 21:05:42]

AdwCleaner[R1].txt - [1169 octets] - [29/12/2013 21:12:50]

AdwCleaner[R2].txt - [1230 octets] - [30/12/2013 22:54:53]

AdwCleaner[R3].txt - [1222 octets] - [01/01/2014 10:31:36]

AdwCleaner[R4].txt - [1343 octets] - [02/01/2014 00:00:04]

AdwCleaner[R5].txt - [750 octets] - [05/01/2014 13:29:30]

AdwCleaner[R6].txt - [1522 octets] - [05/01/2014 13:31:59]

AdwCleaner[S0].txt - [13429 octets] - [29/12/2013 21:06:55]

AdwCleaner[S1].txt - [1293 octets] - [30/12/2013 22:57:40]

AdwCleaner[S2].txt - [1284 octets] - [01/01/2014 10:37:12]

AdwCleaner[S3].txt - [1404 octets] - [02/01/2014 00:07:07]

AdwCleaner[S4].txt - [1443 octets] - [05/01/2014 13:47:35]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1503 octets] ##########

 

 

 

 

 

 

adw3 log

 

# AdwCleaner v3.016 - Report created 05/01/2014 at 13:47:35

# Updated 23/12/2013 by Xplode

# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)

# Username : benditacora - HEATHCLIFF

# Running from : C:\Users\benditacora\Downloads\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.16428

 

 

-\\ Mozilla Firefox v26.0 (es-ES)

 

[ File : C:\Users\benditacora\AppData\Roaming\Mozilla\Firefox\Profiles\jx3fl810.default\prefs.js ]

 

 

-\\ Google Chrome v31.0.1650.63

 

[ File : C:\Users\benditacora\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [13427 octets] - [29/12/2013 21:05:42]

AdwCleaner[R1].txt - [1169 octets] - [29/12/2013 21:12:50]

AdwCleaner[R2].txt - [1230 octets] - [30/12/2013 22:54:53]

AdwCleaner[R3].txt - [1222 octets] - [01/01/2014 10:31:36]

AdwCleaner[R4].txt - [1343 octets] - [02/01/2014 00:00:04]

AdwCleaner[R5].txt - [750 octets] - [05/01/2014 13:29:30]

AdwCleaner[R6].txt - [1522 octets] - [05/01/2014 13:31:59]

AdwCleaner[S0].txt - [13429 octets] - [29/12/2013 21:06:55]

AdwCleaner[S1].txt - [1293 octets] - [30/12/2013 22:57:40]

AdwCleaner[S2].txt - [1284 octets] - [01/01/2014 10:37:12]

AdwCleaner[S3].txt - [1404 octets] - [02/01/2014 00:07:07]

AdwCleaner[S4].txt - [1443 octets] - [05/01/2014 13:47:35]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1503 octets] ##########

 

 

thank you again, 

 

Cora



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:45 AM

Posted 05 January 2014 - 09:36 PM

Pictures, Text files .doc and Music are usually safe.

If you're not sure how to reformat and reinstall Windows, please review:
  • How to format a computer and Reinstall Windows 7
  • These links include specific step-by-step instructions with screenshots:

    Windows 7 users
  • How to Do a Clean Installation with Windows 7
  • Windows 7 Clean Install Screens



  • Note: If you're using an IBM, Sony, HP, Compaq, Toshiba, Gateway, Dell or other manufacturer built computer, you may not have an original CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. Please read Technology Advisory Recovery Media.

    If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.

    If you have made a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) before your system was infected, then using it is another option. Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistent to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.

    Reformatting a hard disk deletes all data. You can back up all your important documents, personal data files, photos, music, videos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.
  • How to back up or transfer your data on a Windows-based computer
  • How to Backup and Restore in Windows 7
  • How and Where to backup your files in XP or Vista
  • How to Backup in Windows Vista
  • If your computer will not boot properly, please refer to:
  • How to use Ubuntu Live CD to Backup Files from your dead Windows Computer
  • Using Ultimate Boot CD for Windows to Rescue Files from a Computer that will not Boot Correctly
  • If you need additional assistance with reformatting, partitioning or reinstalling the OS, you can start a new topic in the Operating Systems Subforums.
You're welcome Cora!!

Edited by boopme, 05 January 2014 - 09:36 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 coralys

coralys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 06 January 2014 - 03:41 PM

Thank you for all your time and effort.

 

I will follow the instructions and format my hard disk. And while I am at it will partition the  disk and do a cleaner instalation. Some idiot who calls himself a tech  did this one and never thought of putting the OS in a different partition than my docs. OS, programs and docs are all together in one huge partition. This is why I was asking you about the danger of having infected docs or pictures.

 

Hope the cold eases up on you,

 

Cora



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:45 AM

Posted 07 January 2014 - 11:27 AM

You can copy them to a folder and scan them First


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 coralys

coralys
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:45 AM

Posted 07 January 2014 - 11:50 AM

will do, thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users