Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Java update whitescreen virus.


  • This topic is locked This topic is locked
10 replies to this topic

#1 Chemenger

Chemenger

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 03 January 2014 - 10:55 AM

Hi all,

 

I recently picked up (stupidly), a whitescreen virus that cam from some bogus java update screen online. Anyways, a usb recovery tool (anvi) was unable to properly remove the virus, so I followed the procedure on this site and ran the FRST scan tool.

 

Here is the resulting log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-01-2014
Ran by SYSTEM on MINWINPC on 03-01-2014 10:41:30
Running from G:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1573160 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RAVCpl64.exe [5682688 2008-01-29] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] - C:\Windows\SkyTel.exe [1826816 2007-11-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [LtMoh] - C:\Program Files\ltmoh\ltmoh.exe [191552 2007-01-08] (Agere Systems)
HKLM\...\Run: [TPwrMain] - C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe [431968 2008-01-17] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] - C:\Program Files\TOSHIBA\TBS\HSON.exe [52560 2007-12-06] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] - C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe [519544 2007-12-11] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] - C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [865792 2008-01-22] (TOSHIBA Corporation)
HKLM\...\Run: [HDMICtrlMan] - C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe [900096 2008-03-27] (TOSHIBA Corporation.)
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [90112 2006-11-10] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe [39792 2008-10-14] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-09-30] (Apple Inc.)
HKLM\...\Policies\Explorer: [NoShellSearchButton] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0x00000000
HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0x00000000
HKLM\...\Policies\Explorer: [NoSetTaskBar] 0
HKLM\...\Policies\Explorer: [NoFileMenu] 0
HKLM\...\Policies\Explorer: [NoNetworkConnections] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0x00000000
HKLM\...\Policies\Explorer: [NoDesktop] 0x00000000
HKLM\...\Policies\Explorer: [MaxRecentDocs] 0
HKLM\...\Policies\Explorer: [NoNetConnectDisconnect] 0
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 0
HKLM\...\Policies\Explorer: [NoRecentDocsHistory] 0x00000000
HKLM\...\Policies\Explorer: [NoFind] 0
HKLM\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x00000000
HKLM\...\Policies\Explorer: [NoInternetIcon] 0
HKLM\...\Policies\Explorer: [NoStartBanner] 0x00000000
HKLM\...\Policies\Explorer: [NoNetHood] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0x00000000
HKLM\...\Policies\Explorer: [NoWinKey] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoNetConnextDisconnect] 0
HKLM\...\Policies\Explorer: [NoFavoritesMenu] 0
HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0
HKLM\...\Policies\Explorer: [NoSMConfigurePrograms] 0
HKLM\...\Policies\Explorer: [NoControlPanle] 0
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [432640 2008-01-29] (TOSHIBA)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [432640 2008-01-29] (TOSHIBA)
HKU\Nick\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [432640 2008-01-29] (TOSHIBA)
HKU\Nick\...\Run: [MsnMsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4240760 2010-09-22] (Microsoft Corporation)
HKU\Nick\...\Run: [Google Update] - C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [133104 2008-09-02] (Google Inc.)
HKU\Nick\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Nick\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [28160 2008-01-20] (Microsoft Corporation)
HKU\Nick\...\Winlogon: [Shell] explorer.exe,C:\Users\Nick\AppData\Roaming\cache.dat [114176 2011-11-18] () <==== ATTENTION 
Startup: C:\Users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81wl7bzj.lnk
ShortcutTarget: 81wl7bzj.lnk -> C:\ProgramData\jzb7lw18.dss ()
 
==================== Services (Whitelisted) =================
 
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] ()
S2 PnkBstrB; C:\Windows\SysWow64\PnkBstrB.exe [183112 2009-04-03] ()
S2 TNaviSrv; C:\Program Files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [83312 2008-01-21] (TOSHIBA Corporation)
S2 Winmgmt; C:\ProgramData\81wl7bzj.pss [61544 2013-10-21] (Microsoft Corporation)
S2 CLTNetCnService; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{b1dd5f87-b266-79e0-3267-b5a724f60a09}\   \...\???\{b1dd5f87-b266-79e0-3267-b5a724f60a09}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [868848 2008-08-26] (Duplex Secure Ltd.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S1 qsqhvpgi; \??\C:\Windows\system32\drivers\qsqhvpgi.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-03 10:40 - 2014-01-03 10:40 - 00000000 ____D C:\FRST
2014-01-02 22:08 - 2014-01-02 22:08 - 49940480 _____ C:\Program Files (x86)\GUT142C.tmp
2014-01-02 22:08 - 2014-01-02 22:08 - 00000000 ____D C:\Program Files (x86)\GUM142B.tmp
2014-01-02 19:09 - 2014-01-02 19:10 - 26548024 _____ C:\asdsetup.exe
2014-01-02 19:07 - 2014-01-02 19:07 - 83623936 _____ C:\Windows\System32\config\software.bhv
2014-01-02 19:07 - 2014-01-02 19:07 - 23592960 _____ C:\Windows\System32\config\system.bhv
2014-01-02 19:07 - 2014-01-02 19:07 - 00262144 _____ C:\Windows\System32\config\security.bhv
2014-01-02 19:07 - 2014-01-02 19:07 - 00262144 _____ C:\Windows\System32\config\sam.bhv
2014-01-02 19:07 - 2014-01-02 19:07 - 00262144 _____ C:\Windows\System32\config\default.bhv
2014-01-02 17:08 - 2014-01-02 17:08 - 00000000 ____D C:\$Anvi Rescue Disk$
 
==================== One Month Modified Files and Folders =======
 
2014-01-03 10:40 - 2014-01-03 10:40 - 00000000 ____D C:\FRST
2014-01-03 00:01 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\PolicyDefinitions
2014-01-02 22:09 - 2013-10-21 19:02 - 00000004 _____ C:\Users\Nick\AppData\Roaming\cache.ini
2014-01-02 22:09 - 2006-11-02 07:42 - 00032630 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-02 22:09 - 2006-11-02 07:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-02 22:08 - 2014-01-02 22:08 - 49940480 _____ C:\Program Files (x86)\GUT142C.tmp
2014-01-02 22:08 - 2014-01-02 22:08 - 00000000 ____D C:\Program Files (x86)\GUM142B.tmp
2014-01-02 22:08 - 2013-02-28 04:36 - 00003682 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-01-02 22:08 - 2013-02-28 04:36 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-02 22:08 - 2012-09-25 13:58 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-01-02 22:08 - 2011-05-16 13:54 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-01-02 22:08 - 2009-06-29 20:19 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-508846183-1127017395-3120944167-1003UA.job
2014-01-02 21:06 - 2006-11-02 07:22 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-02 21:06 - 2006-11-02 07:22 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-02 19:10 - 2014-01-02 19:09 - 26548024 _____ C:\asdsetup.exe
2014-01-02 19:07 - 2014-01-02 19:07 - 83623936 _____ C:\Windows\System32\config\software.bhv
2014-01-02 19:07 - 2014-01-02 19:07 - 23592960 _____ C:\Windows\System32\config\system.bhv
2014-01-02 19:07 - 2014-01-02 19:07 - 00262144 _____ C:\Windows\System32\config\security.bhv
2014-01-02 19:07 - 2014-01-02 19:07 - 00262144 _____ C:\Windows\System32\config\sam.bhv
2014-01-02 19:07 - 2014-01-02 19:07 - 00262144 _____ C:\Windows\System32\config\default.bhv
2014-01-02 19:07 - 2008-08-23 11:50 - 00000000 ____D C:\users\Nick
2014-01-02 19:06 - 2012-08-20 07:48 - 00000000 ____D C:\ProgramData\AMMYY
2014-01-02 19:06 - 2008-08-29 03:56 - 00000000 ____D C:\Program Files (x86)\WinAce
2014-01-02 17:08 - 2014-01-02 17:08 - 00000000 ____D C:\$Anvi Rescue Disk$
2013-12-21 06:09 - 2013-10-21 19:10 - 95025368 ____T C:\ProgramData\81wl7bzj.bxx
2013-12-21 06:09 - 2013-10-21 19:02 - 00000000 _____ C:\ProgramData\81wl7bzj.fvv
2013-12-21 06:09 - 2009-11-15 06:46 - 00000000 ____D C:\Users\Nick\Tracing
ZeroAccess:
C:\Users\Nick\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
 
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
 
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
 
Files to move or delete:
====================
C:\Users\Nick\AppData\Roaming\cache.dat
C:\Users\Nick\AppData\Roaming\cache.ini
C:\ProgramData\81wl7bzj.bxx
C:\ProgramData\81wl7bzj.fvv
C:\ProgramData\81wl7bzj.pss
C:\ProgramData\jzb7lw18.dss
 
 
Some content of TEMP:
====================
C:\Users\Nick\AppData\Local\Temp\h1187579479.tmp.exe
C:\Users\Nick\AppData\Local\Temp\h132904577.tmp.exe
C:\Users\Nick\AppData\Local\Temp\h624889507.tmp.dll
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-10-09 05:47:47
Restore point made on: 2013-10-09 20:00:24
Restore point made on: 2013-10-10 20:00:26
Restore point made on: 2013-10-11 20:00:22
Restore point made on: 2013-10-12 20:00:23
Restore point made on: 2013-10-12 21:42:42
Restore point made on: 2013-10-15 20:19:29
Restore point made on: 2013-10-16 19:16:13
Restore point made on: 2013-10-17 20:00:19
Restore point made on: 2013-10-18 20:00:24
Restore point made on: 2013-10-19 20:00:23
Restore point made on: 2013-10-19 21:59:39
 
==================== Memory info =========================== 
 
Percentage of memory in use: 16%
Total physical RAM: 3069.15 MB
Available physical RAM: 2549.99 MB
Total Pagefile: 2847.71 MB
Available Pagefile: 2521.84 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: (S3A6688D007) (Fixed) (Total:217.26 GB) (Free:71.47 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:7.24 GB) (Free:0.62 GB) NTFS
Drive f: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.31 GB) NTFS
Drive g: (USB DISK) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 1048EBC4)
Partition 1: (Not Active) - (Size=1 GB) - (Type=27)
Partition 2: (Active) - (Size=217 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=7 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=7 GB) - (Type=17)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)
 
 
LastRegBack: 2013-10-21 19:36
 
==================== End Of Log ============================
 
Thank you for any help you can give me, and I really appreciate this service that you provide!


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:44 AM

Posted 08 January 2014 - 08:26 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

HKU\Nick\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Nick\...\Winlogon: [Shell] explorer.exe,C:\Users\Nick\AppData\Roaming\cache.dat [114176 2011-11-18] () <==== ATTENTION
ShortcutTarget: 81wl7bzj.lnk -> C:\ProgramData\jzb7lw18.dss ()
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{b1dd5f87-b266-79e0-3267-b5a724f60a09}\   \...\???\{b1dd5f87-b266-79e0-3267-b5a724f60a09}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
S1 qsqhvpgi; \??\C:\Windows\system32\drivers\qsqhvpgi.sys [x]

C:\Users\Nick\AppData\Roaming\cache.dat
C:\Users\Nick\AppData\Roaming\cache.ini
C:\ProgramData\81wl7bzj.bxx
C:\ProgramData\81wl7bzj.fvv
C:\ProgramData\81wl7bzj.pss
C:\ProgramData\jzb7lw18.dss
C:\Users\Nick\AppData\Local\Temp\h1187579479.tmp.exe
C:\Users\Nick\AppData\Local\Temp\h132904577.tmp.exe
C:\Users\Nick\AppData\Local\Temp\h624889507.tmp.dll

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.

Restart the Computer normally if you can.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ==============


    Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.

    1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
    2: DDS.pif
    3: DDS.COM

    Double click on the DDS icon, allow it to run.
    A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    Notepad will open with the results.
    Follow the instructions that pop up for posting the results.Please note: You may have to disable any script protection running if the scan fails to run.

    dds_scr.gif

    Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

    Please let me know what problem persists.
  • [/list]


#3 Chemenger

Chemenger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 08 January 2014 - 06:42 PM

Thanks for the help!

 

The fix allowed me to start Windows normally. Here is the contents of the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-01-2014
Ran by SYSTEM at 2014-01-08 18:36:06 Run:1
Running from G:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
start
 
HKU\Nick\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Nick\...\Winlogon: [Shell] explorer.exe,C:\Users\Nick\AppData\Roaming\cache.dat [114176 2011-11-18] () <==== ATTENTION
ShortcutTarget: 81wl7bzj.lnk ->
C:\ProgramData\jzb7lw18.dss ()
S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{b1dd5f87-b266-79e0-3267-b5a724f60a09}\   \...\???\{b1dd5f87-b266-79e0-3267-b5a724f60a09}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
S1 qsqhvpgi; \??\C:\Windows\system32\drivers\qsqhvpgi.sys [x]
 
C:\Users\Nick\AppData\Roaming\cache.dat
C:\Users\Nick\AppData\Roaming\cache.ini
C:\ProgramData\81wl7bzj.bxx
C:\ProgramData\81wl7bzj.fvv
C:\ProgramData\81wl7bzj.pss
C:\ProgramData\jzb7lw18.dss
C:\Users\Nick\AppData\Local\Temp\h1187579479.tmp.exe
C:\Users\Nick\AppData\Local\Temp\h132904577.tmp.exe
C:\Users\Nick\AppData\Local\Temp\h624889507.tmp.dll
 
end
*****************
 
HKU\Nick\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKU\Nick\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
ShortcutTarget: 81wl7bzj.lnk -> not found.
"C:\ProgramData\jzb7lw18.dss ()" => File/Directory not found.
*etadpug => Service deleted successfully.
qsqhvpgi => Service deleted successfully.
C:\Users\Nick\AppData\Roaming\cache.dat => Moved successfully.
C:\Users\Nick\AppData\Roaming\cache.ini => Moved successfully.
C:\ProgramData\81wl7bzj.bxx => Moved successfully.
C:\ProgramData\81wl7bzj.fvv => Moved successfully.
C:\ProgramData\81wl7bzj.pss => Moved successfully.
C:\ProgramData\jzb7lw18.dss => Moved successfully.
C:\Users\Nick\AppData\Local\Temp\h1187579479.tmp.exe => Moved successfully.
C:\Users\Nick\AppData\Local\Temp\h132904577.tmp.exe => Moved successfully.
C:\Users\Nick\AppData\Local\Temp\h624889507.tmp.dll => Moved successfully.
 
==== End of Fixlog ====
 
I will run the other recommended steps and post the results as they come.


#4 Chemenger

Chemenger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 08 January 2014 - 06:58 PM

Here is the contents of the roguekiller report:

 

RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Nick [Admin rights]
Mode : Remove -- Date : 01/08/2014 18:55:56
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DLL][SUSP PATH] HKLM\[...]\CCSet\[...]\Parameters : ServiceDll (C:\PROGRA~3\81wl7bzj.pss [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)
[HJ DLL][SUSP PATH] HKLM\[...]\CS001\[...]\Parameters : ServiceDll (C:\PROGRA~3\81wl7bzj.pss [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)
[HJ DLL][SUSP PATH] HKLM\[...]\CS002\[...]\Parameters : ServiceDll (C:\PROGRA~3\81wl7bzj.pss [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC_32\Desktop.ini [-] --> DELETED
[ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC_64\Desktop.ini [-] --> DELETED
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Microsoft Security Client\MpAsDesc.dll >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Microsoft Security Client\MpClient.dll >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Microsoft Security Client\MpRTP.dll >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Microsoft Security Client\MpSvc.dll >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Junction] MsMpEng.exe : C:\Program Files\Microsoft Security Client\MsMpEng.exe >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Junction] NisIpsPlugin.dll : C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Junction] NisLog.dll : C:\Program Files\Microsoft Security Client\NisLog.dll >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Junction] NisSrv.exe : C:\Program Files\Microsoft Security Client\NisSrv.exe >> \systemroot\system32\config [-] --> Junction DELETED
[ZeroAccess][Folder] Install : C:\Users\Nick\AppData\Local\Google\Desktop\Install [-] --> DELETED
[ZeroAccess][Folder] Install : C:\Program Files (x86)\Google\Desktop\Install [-] --> DELETED
[ZeroAccess][File] GOOGLE~1.EXE : C:\Users\Nick\AppData\Local\Google\Desktop\Install\{B1DD5~1\C3C1~1\01C8~1\CFFE~1\{B1DD5~1\GOOGLE~1.EXE [-] --> DELETED
[ZeroAccess][Folder] L : C:\Users\Nick\AppData\Local\Google\Desktop\Install\{B1DD5~1\C3C1~1\01C8~1\CFFE~1\{B1DD5~1\L [-] --> DELETED
[ZeroAccess][Folder] U : C:\Users\Nick\AppData\Local\Google\Desktop\Install\{B1DD5~1\C3C1~1\01C8~1\CFFE~1\{B1DD5~1\U [-] --> DELETED
[ZeroAccess][Folder] {B1DD5~1 : C:\Users\Nick\AppData\Local\Google\Desktop\Install\{B1DD5~1\C3C1~1\01C8~1\CFFE~1\{B1DD5~1 [-] --> DELETED
[ZeroAccess][Folder] CFFE~1 : C:\Users\Nick\AppData\Local\Google\Desktop\Install\{B1DD5~1\C3C1~1\01C8~1\CFFE~1 [-] --> DELETED
[ZeroAccess][Folder] 01C8~1 : C:\Users\Nick\AppData\Local\Google\Desktop\Install\{B1DD5~1\C3C1~1\01C8~1 [-] --> DELETED
[ZeroAccess][Folder] C3C1~1 : C:\Users\Nick\AppData\Local\Google\Desktop\Install\{B1DD5~1\C3C1~1 [-] --> DELETED
[ZeroAccess][Folder] {B1DD5~1 : C:\Users\Nick\AppData\Local\Google\Desktop\Install\{B1DD5~1 [-] --> DELETED
[ZeroAccess][File] GOOGLE~1.EXE : C:\PROGRA~2\Google\Desktop\Install\{B1DD5~1\0103~1\7154~1\CFFE~1\{B1DD5~1\GOOGLE~1.EXE [-] --> DELETED
[ZeroAccess][Folder] L : C:\PROGRA~2\Google\Desktop\Install\{B1DD5~1\0103~1\7154~1\CFFE~1\{B1DD5~1\L [-] --> DELETED
[ZeroAccess][Folder] U : C:\PROGRA~2\Google\Desktop\Install\{B1DD5~1\0103~1\7154~1\CFFE~1\{B1DD5~1\U [-] --> DELETED
[ZeroAccess][Folder] {B1DD5~1 : C:\PROGRA~2\Google\Desktop\Install\{B1DD5~1\0103~1\7154~1\CFFE~1\{B1DD5~1 [-] --> DELETED
[ZeroAccess][Folder] CFFE~1 : C:\PROGRA~2\Google\Desktop\Install\{B1DD5~1\0103~1\7154~1\CFFE~1 [-] --> DELETED
[ZeroAccess][Folder] 7154~1 : C:\PROGRA~2\Google\Desktop\Install\{B1DD5~1\0103~1\7154~1 [-] --> DELETED
[ZeroAccess][Folder] 0103~1 : C:\PROGRA~2\Google\Desktop\Install\{B1DD5~1\0103~1 [-] --> DELETED
[ZeroAccess][Folder] {B1DD5~1 : C:\PROGRA~2\Google\Desktop\Install\{B1DD5~1 [-] --> DELETED
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
::1             localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ( @ )  +++++
--- User ---
[MBR] f7a8463d071566bd972003f24663f2d6
[BSP] 1461193b3e2bbaaf6e84b4bf85add7be : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 222472 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 458696704 | Size: 7410 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 473872384 | Size: 7084 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_01082014_185556.txt >>
RKreport[0]_S_01082014_185457.txt


#5 Chemenger

Chemenger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 08 January 2014 - 07:12 PM

Here is the contents of the DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16476
Run by Nick at 19:00:54 on 2014-01-08
.
============== Running Processes ================
.
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Program Files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\HDMICtrlMan\HCMSoundChanger.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uWinlogon: Userinit = C:\Windows\System32\userinit.exe
mWinlogon: Userinit = C:\Windows\System32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
uRun: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
uRun: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: MaxRecentDocs = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoWinKey = dword:0
mPolicies-Explorer: NoNetConnextDisconnect = dword:0
mPolicies-Explorer: NoWindowsUpdate = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:-1
mPolicies-Explorer: NoSMConfigurePrograms = dword:0
mPolicies-Explorer: NoControlPanle = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: NoAdminPage = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files (x86)\PlotSoft\PDFill\DownloadPDF.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{12C2AE21-929E-4174-9227-D3BB7C46A15F} : DHCPNameServer = 64.71.255.205 64.71.255.253
TCP: Interfaces\{3EAD3B9A-4CC1-443B-848F-81306AD4CB68} : DHCPNameServer = 24.48.19.13 24.202.72.13 24.53.0.2
TCP: Interfaces\{AE95CBF2-EF58-46D5-BC40-D881CED4E61F} : DHCPNameServer = 192.168.0.1
Handler: intu-ir2009 - {E4616804-F2F8-4839-B728-5305004DA6A7} - <orphaned>
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - <orphaned>
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - C:\Program Files (x86)\TurboTax 2011\ic2011pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
x64-mStart Page = hxxp://www.shoptoshiba.ca/welcome
x64-mDefault_Page_URL = hxxp://www.shoptoshiba.ca/welcome
x64-mWinlogon: Userinit = C:\Windows\System32\userinit.exe
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] RAVCpl64.exe
x64-Run: [Skytel] Skytel.exe
x64-Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [HDMICtrlMan] C:\Program Files (x86)\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-Explorer: MaxRecentDocs = dword:0
x64-mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
x64-mPolicies-Explorer: NoWinKey = dword:0
x64-mPolicies-Explorer: NoNetConnextDisconnect = dword:0
x64-mPolicies-Explorer: NoWindowsUpdate = dword:0
x64-mPolicies-Explorer: NoDriveAutoRun = dword:-1
x64-mPolicies-Explorer: NoSMConfigurePrograms = dword:0
x64-mPolicies-Explorer: NoControlPanle = dword:0
x64-mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
x64-mPolicies-System: ConsentPromptBehaviorUser = dword:3
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-IE: {ED93D107-B43A-490e-AA5C-C5578BAAF479} - C:\Program Files (x86)\PlotSoft\PDFill\DownloadPDF.exe
x64-Handler: intu-ir2009 - {E4616804-F2F8-4839-B728-5305004DA6A7} - <orphaned>
x64-Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - <orphaned>
x64-Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? Netaapl;Apple Mobile Device Ethernet Service
R? NETw4v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit
R? NisDrv;Microsoft Network Inspection System
R? NisSrv;NisSrv
R? PerfHost;Performance Counter DLL Host
R? SkypeUpdate;Skype Updater
R? TOSHIBA SMART Log Service;TOSHIBA SMART Log Service
R? USBAAPL64;Apple Mobile USB Driver
R? WDC_SAM;WD SCSI Pass Thru driver
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? ConfigFree Service;ConfigFree Service
S? FontCache;Windows Font Cache Service
S? FwLnk;FwLnk Driver
S? MpFilter;Microsoft Malware Protection Driver
S? NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit
S? tos_sps64;TOSHIBA tos_sps64 Service
.
=============== File Associations ===============
.
FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2014-01-09 00:01:43 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-09 00:01:43 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-01-06 19:23:36 4558848 ----a-w- C:\Windows\SysWow64\GPhotos.scr
2014-01-03 06:08:58 49940480 ----a-w- C:\Program Files (x86)\GUT142C.tmp
2014-01-03 03:10:32 26548024 ----a-w- C:\asdsetup.exe
.
============= FINISH: 19:02:45.63 ===============
 
The scan also produced a file called Attach.txt which contains a list of the programs installed on my machine, and told me i should attach it to my post. 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:44 AM

Posted 09 January 2014 - 08:33 AM

Looking better but still some work to do.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============

#7 Chemenger

Chemenger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 10 January 2014 - 07:17 PM

ComboFix 14-01-08.03 - Nick 10/01/2014  19:06:10.1.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.2.1033.18.3069.1839 [GMT -5:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\AMMYY
c:\programdata\AMMYY\BATCH-INSTALL.bat
c:\programdata\AMMYY\hr
c:\programdata\AMMYY\hr3
c:\programdata\AMMYY\settings3.bin
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-11 to 2014-01-11  )))))))))))))))))))))))))))))))
.
.
2014-01-11 00:13 . 2014-01-11 00:13 -------- d-----w- c:\users\Nick\AppData\Local\temp
2014-01-11 00:13 . 2014-01-11 00:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-01-10 23:54 . 2014-01-10 23:54 56616 ----a-w- c:\windows\system32\drivers\iscxoegb.sys
2014-01-10 23:54 . 2014-01-10 23:54 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CFD10772-9716-464B-8CDA-73C84765E6BC}\offreg.dll
2014-01-10 23:42 . 2013-10-18 03:11 965000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E4C5763F-493D-434D-9A1F-382787F5FD06}\gapaengine.dll
2014-01-10 23:32 . 2013-12-04 00:28 10315576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CFD10772-9716-464B-8CDA-73C84765E6BC}\mpengine.dll
2014-01-10 23:16 . 2014-01-11 00:13 -------- d-----w- C:\32788R22FWJFW
2014-01-08 23:51 . 2014-01-08 23:51 72448 ----a-w- c:\windows\system32\drivers\ohci1394.sys.bak
2014-01-06 19:23 . 2014-01-06 19:23 4558848 ----a-w- c:\windows\SysWow64\GPhotos.scr
2014-01-03 18:40 . 2014-01-03 18:40 -------- d-----w- C:\FRST
2014-01-03 06:08 . 2014-01-03 06:08 49940480 ----a-w- c:\program files (x86)\GUT142C.tmp
2014-01-03 06:08 . 2014-01-03 06:08 -------- d-----w- c:\program files (x86)\GUM142B.tmp
2014-01-03 03:09 . 2014-01-03 03:10 26548024 ----a-w- C:\asdsetup.exe
2014-01-03 01:08 . 2014-01-03 01:08 -------- d---a-w- C:\$Anvi Rescue Disk$
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-09 00:01 . 2012-09-25 21:58 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-01-09 00:01 . 2011-05-16 21:54 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-11-19 10:21 . 2009-10-02 21:35 267936 ------w- c:\windows\system32\MpSigStub.exe
2013-10-18 03:11 . 2011-09-09 01:02 965000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-10-14 07:12 . 2013-10-21 09:25 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 432640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-10-01 152392]
.
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
81wl7bzj.lnk - c:\windows\System32\rundll32.exe c:\progra~3\jzb7lw18.dss,XL200 [2006-11-2 46592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"= 00000000
"MaxRecentDocs"= 0 (0x0)
"NoWinKey"= 0 (0x0)
"NoNetConnextDisconnect"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoControlPanle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MSMPSVC
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-25 00:01]
.
2014-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-508846183-1127017395-3120944167-1003Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 00:13]
.
2014-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-508846183-1127017395-3120944167-1003UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 00:13]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1573160]
"RtHDVCpl"="RAVCpl64.exe" [2008-01-29 5682688]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: spaul.ca\remote
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files (x86)\TurboTax 2011\ic2011pp.dll
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-HDMICtrlMan - c:\program files (x86)\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe
HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2014-01-10  19:16:10
ComboFix-quarantined-files.txt  2014-01-11 00:16
.
Pre-Run: 75,466,993,664 bytes free
Post-Run: 75,661,295,616 bytes free
.
- - End Of File - - CD86D5E261CCE44523D6FCAB9B55923A
5B5E648D12FCADC244C1EC30318E1EB9


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:44 AM

Posted 11 January 2014 - 08:08 AM


Do you know what this does?
It's in your startup folder.

c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
81wl7bzj.lnk - c:\windows\System32\rundll32.exe c:\progra~3\jzb7lw18.dss,XL200 [2006-11-2 46592]


===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please let me know of any remaining issues with this computer.

#9 Chemenger

Chemenger
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 11 January 2014 - 02:21 PM

I have no idea what that is. For what it's worth though, the computer seems to be running top shape. Combofix took care of an error message that was appearing when I logged into Windows.

 

Here is the security check log:

 

 Results of screen317's Security Check version 0.99.78  
 Windows Vista Service Pack 2 x64 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Java™ 6 Update 22  
 Java™ SE Runtime Environment 6 
 Java™ 6 Update 3  
 Java version out of Date! 
 Adobe Flash Player 11.9.900.170  
 Adobe Reader 8 Adobe Reader out of Date! 
 Google Chrome 30.0.1599.101  
 Google Chrome 31.0.1650.63  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0 % 
````````````````````End of Log`````````````````````` 
 
Thanks again for all the help! I wouldn't have been able to get rid of this thing without you.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:44 AM

Posted 12 January 2014 - 09:23 AM


Delete the .lnk file and keep it in your recycle bin.
If a program need it to run you will be prompter that the file is not availabe.
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\81wl7bzj.lnk

In a week if all is well you can flush it.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u45 was released on Oct. 15. 2013.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java™ 6 Update 22
Java™ SE Runtime Environment 6
Java™ 6 Update 3


===

Adobe Reader/Acrobat v11.0.05 was released Oct 8, 2013

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

p.s.
Adobe is planning to release security updates on Tuesday, January 14, 2014 for Adobe Reader and Acrobat XI (11.0.05) and earlier versions for Windows and Macintosh.
You may wish to way a day or 2.
<<<>>>



If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===


Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:44 AM

Posted 18 January 2014 - 11:03 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users