Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

explorer.exe keeps respawning


  • This topic is locked This topic is locked
12 replies to this topic

#1 magnet0

magnet0

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 21 March 2014 - 07:03 PM

Friends computer.  He kept complaining that his machine was really slow.  He got some advice from someone who thought he knew what he was doing.  After the problem started, my friend installed MBAM.  He said that MBAM didn't find anything.  He tried running MBAR and it said that it found a couple of malware but the problem persisted.  Then someone told him to run ComboFix but the problem is still there. 

 

So, finally he came to me. I told him that I would present the case to some people 'in the know' and maybe get his machine cleared up.  I am noticing that there are multiple copies of explorer.exe running.  The thing is, though, that I can tell which ones are not the 'real' explorer because the command line in task manager is in quotes.  MBAM is blocking some of the activity as access to potentially malicious websites.

 

I tried running DDS but it is only generating the attach.txt log and no dds.txt log.

 

Attached File  attach.txt   2.31KB   3 downloads



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:53 AM

Posted 24 March 2014 - 04:25 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 magnet0

magnet0
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 24 March 2014 - 06:58 AM

Thanks so much, Georgi!

 

Here's the FRST log.  Addition is attached to this post.

--------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Layne Donovan (administrator) on LAYNEDONOVAN-PC on 24-03-2014 07:54:28
Running from C:\Users\Layne Donovan\Desktop
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.exe
(Acer Incorporated) C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Acer Group) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Windows\system32\msiexec.exe
(Microsoft Corporation) C:\Windows\SysWOW64\DllHost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
() C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Hotkey Utility] - C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe [611872 2010-08-04] ()
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rein.mlxchange.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=MAGW
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.com/?pc=MAGW
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=MAGW
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {61BB6943-A0FF-4637-AA85-47290BDE178E} https://www.trueformsonline.com/Downloads/TFLauncher_2/tflauncher.dll
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

Chrome:
=======
CHR HomePage: hxxp://rein.fusionmls.com/
CHR Extension: (Google Drive) - C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2012-11-26]
CHR Extension: (YouTube) - C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-11-26]
CHR Extension: (Google Search) - C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-11-26]
CHR Extension: (Google Wallet) - C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-15]
CHR Extension: (Gmail) - C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-11-26]

==================== Services (Whitelisted) =================

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 NitroReaderDriverReadSpool2; C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [341800 2011-12-20] (Nitro PDF Software)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 MpKsld9f7c82b; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{09A0134F-BEDA-4B4E-A6E0-9AC151B1CAC9}\MpKsld9f7c82b.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-24 07:54 - 2014-03-24 07:54 - 00010171 _____ () C:\Users\Layne Donovan\Desktop\FRST.txt
2014-03-24 07:53 - 2014-03-24 07:54 - 00000000 ____D () C:\FRST
2014-03-24 07:53 - 2014-03-24 07:45 - 02157056 _____ (Farbar) C:\Users\Layne Donovan\Desktop\FRST64.exe
2014-03-23 12:01 - 2014-03-23 12:01 - 00007583 _____ () C:\Users\Layne Donovan\AppData\Local\Resmon.ResmonCfg
2014-03-23 11:21 - 2014-03-23 11:21 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-21 19:43 - 2014-03-23 12:13 - 00002371 _____ () C:\Users\Layne Donovan\Desktop\attach.txt
2014-03-21 19:29 - 2014-03-21 19:29 - 00688992 ____R (Swearware) C:\Users\Layne Donovan\Desktop\dds.com
2014-03-21 19:15 - 2014-03-21 19:15 - 01950720 _____ () C:\Users\Layne Donovan\Desktop\AdwCleaner.exe
2014-03-21 19:15 - 2014-03-21 19:15 - 00000000 ____D () C:\AdwCleaner
2014-03-21 18:30 - 2014-03-21 18:30 - 00015939 _____ () C:\ComboFix.txt
2014-03-21 18:04 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-21 18:04 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-21 18:04 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-21 18:04 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-21 18:04 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-21 18:04 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-21 18:04 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-21 18:04 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-21 18:02 - 2014-03-21 18:31 - 00000000 ____D () C:\Qoobox
2014-03-21 18:01 - 2014-03-21 18:27 - 00000000 ____D () C:\Windows\erdnt
2014-03-21 17:54 - 2014-03-21 17:54 - 05190052 ____R (Swearware) C:\Users\Layne Donovan\Desktop\ComboFix.exe
2014-03-14 17:48 - 2014-03-14 17:48 - 05128584 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2014-03-14 17:37 - 2013-12-18 21:04 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-03-14 17:36 - 2014-03-14 17:36 - 00005250 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-03-14 17:36 - 2013-12-18 21:09 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-03-14 17:36 - 2013-12-18 21:04 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-03-14 17:36 - 2013-12-18 21:03 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-03-14 16:00 - 2014-03-14 16:07 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Local\Microsoft Games
2014-03-14 15:06 - 2014-03-21 18:01 - 00000000 ____D () C:\Users\Layne Donovan\Desktop\mbar
2014-03-14 15:06 - 2014-03-21 17:57 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-03-14 15:04 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-03-14 14:46 - 2014-03-14 14:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Layne Donovan\Desktop\mbam-setup-1.75.0.1300.exe
2014-03-14 14:37 - 2014-03-14 14:37 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Layne Donovan\Desktop\mbar-1.07.0.1009.exe
2014-03-14 14:06 - 2014-03-14 14:06 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-03-14 13:59 - 2014-03-14 13:59 - 00000000 ____D () C:\Windows\pss
2014-03-13 17:04 - 2014-03-13 17:06 - 00860176 _____ (Microsoft Corporation) C:\Users\Layne Donovan\Desktop\mssstool64.exe
2014-03-13 02:09 - 2014-03-13 02:09 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\Malwarebytes
2014-03-13 02:08 - 2014-03-14 15:04 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-13 02:08 - 2014-03-13 02:08 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-13 01:35 - 2014-03-13 01:35 - 00952904 _____ () C:\Users\Layne Donovan\Downloads\810E.tmp
2014-03-13 01:23 - 2014-03-13 01:23 - 00953161 _____ () C:\Users\Layne Donovan\Downloads\Document Set is Complete 102 A 51st Resale new construction condos.zip
2014-03-13 01:23 - 2014-03-13 01:23 - 00000000 ____D () C:\Users\Layne Donovan\Downloads\Document Set is Complete 102 A 51st Resale new construction condos
2014-03-13 00:54 - 2014-03-13 00:54 - 00000000 ____D () C:\Users\Layne Donovan\Downloads\Document Set is Complete Spigel - Chick - House
2014-03-13 00:53 - 2014-03-13 00:54 - 00934985 _____ () C:\Users\Layne Donovan\Downloads\Document Set is Complete Spigel - Chick - House.zip
2014-03-12 12:27 - 2014-03-12 12:27 - 00839976 _____ () C:\Users\Layne Donovan\Downloads\51stStreet_FrontElevation-Color (2).tif
2014-03-11 11:56 - 2014-03-11 11:56 - 00839976 _____ () C:\Users\Layne Donovan\Downloads\51stStreet_FrontElevation-Color (1).tif
2014-03-10 11:59 - 2014-03-11 10:33 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\Buciazci
2014-03-10 11:59 - 2014-03-10 11:59 - 00003878 _____ () C:\Windows\System32\Tasks\Security Center Update - 3604282723
2014-03-07 16:46 - 2014-03-07 16:46 - 00839976 _____ () C:\Users\Layne Donovan\Downloads\51stStreet_FrontElevation-Color.tif
2014-03-06 17:29 - 2014-03-12 11:49 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\Hifuox
2014-03-05 14:24 - 2014-03-05 14:24 - 00012326 _____ () C:\Users\Layne Donovan\AppData\Local\bmsiapbk
2014-03-05 14:22 - 2014-03-05 14:22 - 00068161 _____ () C:\Users\Layne Donovan\AppData\Local\kpwjlkvs
2014-03-05 14:21 - 2014-03-05 14:21 - 00000000 _____ () C:\Users\Layne Donovan\AppData\Roaming\SharedSettings.ccs

==================== One Month Modified Files and Folders =======

2014-03-24 07:54 - 2014-03-24 07:54 - 00010171 _____ () C:\Users\Layne Donovan\Desktop\FRST.txt
2014-03-24 07:54 - 2014-03-24 07:53 - 00000000 ____D () C:\FRST
2014-03-24 07:53 - 2012-07-11 14:29 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-24 07:52 - 2009-07-14 00:45 - 00009920 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-24 07:52 - 2009-07-14 00:45 - 00009920 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-24 07:48 - 2012-06-14 14:14 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-24 07:48 - 2011-02-27 14:36 - 01863581 _____ () C:\Windows\WindowsUpdate.log
2014-03-24 07:45 - 2014-03-24 07:53 - 02157056 _____ (Farbar) C:\Users\Layne Donovan\Desktop\FRST64.exe
2014-03-24 07:45 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-24 07:45 - 2009-07-14 00:51 - 00062674 _____ () C:\Windows\setupact.log
2014-03-23 12:13 - 2014-03-21 19:43 - 00002371 _____ () C:\Users\Layne Donovan\Desktop\attach.txt
2014-03-23 12:01 - 2014-03-23 12:01 - 00007583 _____ () C:\Users\Layne Donovan\AppData\Local\Resmon.ResmonCfg
2014-03-23 12:01 - 2012-07-11 14:29 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-23 12:00 - 2013-11-15 10:16 - 00002190 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-23 11:21 - 2014-03-23 11:21 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-21 19:29 - 2014-03-21 19:29 - 00688992 ____R (Swearware) C:\Users\Layne Donovan\Desktop\dds.com
2014-03-21 19:15 - 2014-03-21 19:15 - 01950720 _____ () C:\Users\Layne Donovan\Desktop\AdwCleaner.exe
2014-03-21 19:15 - 2014-03-21 19:15 - 00000000 ____D () C:\AdwCleaner
2014-03-21 18:39 - 2009-07-14 01:13 - 00726444 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-21 18:35 - 2011-02-27 14:37 - 00269550 _____ () C:\Windows\PFRO.log
2014-03-21 18:31 - 2014-03-21 18:02 - 00000000 ____D () C:\Qoobox
2014-03-21 18:31 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-03-21 18:30 - 2014-03-21 18:30 - 00015939 _____ () C:\ComboFix.txt
2014-03-21 18:27 - 2014-03-21 18:01 - 00000000 ____D () C:\Windows\erdnt
2014-03-21 18:27 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-03-21 18:15 - 2011-12-12 14:14 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\Microsoft Corporation
2014-03-21 18:01 - 2014-03-14 15:06 - 00000000 ____D () C:\Users\Layne Donovan\Desktop\mbar
2014-03-21 17:57 - 2014-03-14 15:06 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-03-21 17:54 - 2014-03-21 17:54 - 05190052 ____R (Swearware) C:\Users\Layne Donovan\Desktop\ComboFix.exe
2014-03-21 17:36 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Public\Libraries
2014-03-14 17:48 - 2014-03-14 17:48 - 05128584 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2014-03-14 17:48 - 2012-06-14 14:14 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-14 17:48 - 2012-06-14 14:14 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-14 17:48 - 2012-06-14 14:14 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-14 17:47 - 2013-08-15 03:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-14 17:43 - 2011-09-13 14:41 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-14 17:42 - 2011-12-09 09:59 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-14 17:37 - 2013-10-23 09:56 - 00000000 ____D () C:\ProgramData\Oracle
2014-03-14 17:36 - 2014-03-14 17:36 - 00005250 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-03-14 17:36 - 2012-08-07 15:39 - 00000000 ____D () C:\Program Files (x86)\Java
2014-03-14 17:31 - 2013-04-04 13:12 - 00000000 ___RD () C:\Users\Layne Donovan\Dropbox
2014-03-14 17:29 - 2011-09-07 14:37 - 00000000 ____D () C:\Users\Layne Donovan
2014-03-14 16:27 - 2012-01-06 10:57 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\OpenCandy
2014-03-14 16:27 - 2011-09-28 17:25 - 00000000 ____D () C:\ProgramData\HP
2014-03-14 16:27 - 2010-10-07 15:54 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-03-14 16:27 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\AppCompat
2014-03-14 16:26 - 2012-06-14 14:14 - 00000000 ____D () C:\Windows\system32\Macromed
2014-03-14 16:26 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\registration
2014-03-14 16:07 - 2014-03-14 16:00 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Local\Microsoft Games
2014-03-14 15:04 - 2014-03-13 02:08 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-14 14:46 - 2014-03-14 14:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Layne Donovan\Desktop\mbam-setup-1.75.0.1300.exe
2014-03-14 14:42 - 2010-10-07 15:52 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-03-14 14:37 - 2014-03-14 14:37 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Layne Donovan\Desktop\mbar-1.07.0.1009.exe
2014-03-14 14:06 - 2014-03-14 14:06 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-03-14 13:59 - 2014-03-14 13:59 - 00000000 ____D () C:\Windows\pss
2014-03-14 09:59 - 2013-03-14 03:01 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-14 09:59 - 2013-03-14 03:01 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-13 17:06 - 2014-03-13 17:04 - 00860176 _____ (Microsoft Corporation) C:\Users\Layne Donovan\Desktop\mssstool64.exe
2014-03-13 16:50 - 2013-04-04 13:11 - 00001221 _____ () C:\Windows\wininit.ini
2014-03-13 16:49 - 2013-04-04 13:11 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\Dropbox
2014-03-13 16:49 - 2011-09-07 14:39 - 00000000 ___RD () C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-13 02:09 - 2014-03-13 02:09 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\Malwarebytes
2014-03-13 02:08 - 2014-03-13 02:08 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-13 01:35 - 2014-03-13 01:35 - 00952904 _____ () C:\Users\Layne Donovan\Downloads\810E.tmp
2014-03-13 01:23 - 2014-03-13 01:23 - 00953161 _____ () C:\Users\Layne Donovan\Downloads\Document Set is Complete 102 A 51st Resale new construction condos.zip
2014-03-13 01:23 - 2014-03-13 01:23 - 00000000 ____D () C:\Users\Layne Donovan\Downloads\Document Set is Complete 102 A 51st Resale new construction condos
2014-03-13 00:54 - 2014-03-13 00:54 - 00000000 ____D () C:\Users\Layne Donovan\Downloads\Document Set is Complete Spigel - Chick - House
2014-03-13 00:54 - 2014-03-13 00:53 - 00934985 _____ () C:\Users\Layne Donovan\Downloads\Document Set is Complete Spigel - Chick - House.zip
2014-03-12 12:27 - 2014-03-12 12:27 - 00839976 _____ () C:\Users\Layne Donovan\Downloads\51stStreet_FrontElevation-Color (2).tif
2014-03-12 11:49 - 2014-03-06 17:29 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\Hifuox
2014-03-11 11:56 - 2014-03-11 11:56 - 00839976 _____ () C:\Users\Layne Donovan\Downloads\51stStreet_FrontElevation-Color (1).tif
2014-03-11 10:33 - 2014-03-10 11:59 - 00000000 ____D () C:\Users\Layne Donovan\AppData\Roaming\Buciazci
2014-03-10 11:59 - 2014-03-10 11:59 - 00003878 _____ () C:\Windows\System32\Tasks\Security Center Update - 3604282723
2014-03-07 16:46 - 2014-03-07 16:46 - 00839976 _____ () C:\Users\Layne Donovan\Downloads\51stStreet_FrontElevation-Color.tif
2014-03-05 14:24 - 2014-03-05 14:24 - 00012326 _____ () C:\Users\Layne Donovan\AppData\Local\bmsiapbk
2014-03-05 14:22 - 2014-03-05 14:22 - 00068161 _____ () C:\Users\Layne Donovan\AppData\Local\kpwjlkvs
2014-03-05 14:21 - 2014-03-05 14:21 - 00000000 _____ () C:\Users\Layne Donovan\AppData\Roaming\SharedSettings.ccs

Some content of TEMP:
====================
C:\Users\Layne Donovan\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-02-18 01:15

==================== End Of Log ============================

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:53 AM

Posted 24 March 2014 - 03:28 PM

Hello,

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

Regards,

Georgi


cXfZ4wS.png


#5 magnet0

magnet0
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 24 March 2014 - 08:26 PM

Awesome, Georgi.  TDSSKiller found a version of Cidox.b.  I haven't seen MBAM try to block any suspicious activity for a while so I am assuming that at least the damage has stopped for now.  Should I run some sort of clean up to prevent this from happening again?

 

http://pastebin.com/euaSWXKE



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:53 AM

Posted 25 March 2014 - 12:29 PM

Hello,

 

Nice work...TDSSkiller has found what I expected - \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - will be cured on reboot.

 

 
Now please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Also I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

First please create a new restore point just in case:

 

How to Create a System Restore Point in Windows 7

 

 

 

STEP 1

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Double-click on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

 

STEP 4

 

 

1.Please download HitmanPro

  • For 32-bit Operating System - dEMD6.gif.
  • For 64-bit Operating System - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon.

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 5-10 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.

Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

6-scanfin-choose.jpg

Navigate to C:\Documents and Settings\All Users\Application Data\HitmanPro\Logs (for Windows XP) or to C:\ProgramData\HitmanPro\Logs (for Windows Vista/7) open the report and copy and paste it to your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#7 magnet0

magnet0
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 25 March 2014 - 09:01 PM

Dang.  That's a lot of scans.  I didn't know MBAM was in version 2 so I updated it on my personal machine.  Thanks for that.

 

No real malware to report from the scans.  But here's everything that you requested...

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Layne Donovan at 2014-03-25 20:31:13 Run:1
Running from C:\Users\Layne Donovan\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] - [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
2014-03-13 01:35 - 2014-03-13 01:35 - 00952904 _____ () C:\Users\Layne Donovan\Downloads\810E.tmp
Folder: C:\Users\Layne Donovan\AppData\Roaming\Hifuox
Folder: C:\Users\Layne Donovan\AppData\Local\bmsiapbk
Folder: C:\Users\Layne Donovan\AppData\Local\kpwjlkvs
Folder: C:\Users\Layne Donovan\AppData\Roaming\Buciazci
end
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
catchme => Service deleted successfully.
C:\Users\Layne Donovan\Downloads\810E.tmp => Moved successfully.

========================= Folder: C:\Users\Layne Donovan\AppData\Roaming\Hifuox ========================

====== End of Folder: ======

========================= Folder: C:\Users\Layne Donovan\AppData\Local\bmsiapbk ========================

The path is not a directory.

========================= Folder: C:\Users\Layne Donovan\AppData\Local\kpwjlkvs ========================

The path is not a directory.

========================= Folder: C:\Users\Layne Donovan\AppData\Roaming\Buciazci ========================

====== End of Folder: ======

==== End of Fixlog ====

 

 

Roguekiller----http://pastebin.com/2A4cJzSL

 

TDSSKiller----http://pastebin.com/bwYhxsai

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/25/2014
Scan Time: 9:33:29 PM
Logfile:
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.03.26.01
Rootkit Database: v2014.03.18.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Layne Donovan

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 255450
Time Elapsed: 16 min, 56 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.OpenCandy, C:\Users\Layne Donovan\AppData\Roaming\OpenCandy, Quarantined, [b96418ed6b10dc5a2ff6470507fb06fa],
PUP.Optional.OpenCandy, C:\Users\Layne Donovan\AppData\Roaming\OpenCandy\CF99C0A3BDD242FAA56CDA11CD979EFE, Quarantined, [b96418ed6b10dc5a2ff6470507fb06fa],

Files: 1
PUP.Optional.OpenCandy, C:\Users\Layne Donovan\AppData\Roaming\OpenCandy\CF99C0A3BDD242FAA56CDA11CD979EFE\nitro_pdf_reader2_x64.msi, Quarantined, [b96418ed6b10dc5a2ff6470507fb06fa],

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

HitmanPro 3.7.9.212
www.hitmanpro.com
   Computer name . . . . : LAYNEDONOVAN-PC
   Windows . . . . . . . : 6.1.0.7600.X64/2
   User name . . . . . . : LayneDonovan-PC\Layne Donovan
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free
   Scan date . . . . . . : 2014-03-25 21:35:06
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 2m 57s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 120
   Objects scanned . . . : 1,705,053
   Files scanned . . . . : 38,370
   Remnants scanned  . . : 580,149 files / 1,086,534 keys
Cookies _____________________________________________________________________
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.yahoo.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:ar.atwola.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:atwola.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:burstnet.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:c.atdmt.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:h.atdmt.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:msnbc.112.2o7.net
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:statse.webtrendslive.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.at.atwola.com
   C:\Users\Layne Donovan\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\0G93C4WE.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\0JDAVEBU.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\0Q01G0JN.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\1W8VTSZZ.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\27XEWXBM.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\2B2K8P5V.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\2CSFG97P.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\2OXPMI34.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\2QZHPXGP.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\30A9QOZ1.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\3DF4S901.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\47ILTNR8.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\4DG8CJO8.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\5QLYUN43.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\5SLGXGYZ.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\6578BQLU.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\6BGGH1R1.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\6DZ8JE03.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\6JK52U2B.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\6XVBIR0I.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\72Z81ANI.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\82OR4STJ.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\9IE1WOO9.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\A0C6OYW2.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\AD73EZC1.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\AZBCOPBB.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\B0ORQOSW.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\B1V3NELW.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\B54K75E9.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\BOPUJRPM.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\BT4DJDR7.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\BTS9X446.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\BZ7P1G61.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\C15Q4IAT.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\C2HGI1R9.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\C57NA9VU.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\D6NJYX2Z.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\DQOJMYOC.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\EHEYPX1B.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\FJPHAVFX.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\GAKGDNI0.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\H9NGJJ2V.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\HRB4A0AH.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\I4IMQMWW.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\IEJBA3Y1.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\J5RALH82.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\JLXGR8MZ.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\K60MI3Q2.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\KKDZ53HN.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\KXQ96W5L.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\LB01DK0N.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\LPE1GO4G.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\LSAB1VCL.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\MBRCLJ0M.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\MLK9NKCQ.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\MZLZW3QM.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\NJ7718RW.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\NN8ZRDWC.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\NYXYRZ25.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\O6I9MMKC.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\O805IIGS.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\P7BVLCYR.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\PKEVIU78.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\PVF4ID3T.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\QZW5BA3U.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\R7ZT7PLA.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\RFYQCS4N.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\RHST5UCB.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\RSXLBVIW.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\SG4DCAR4.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\SLLBV3IF.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\T0QSRVNK.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\TZ1OWKAR.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\TZDP6TFR.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\U20MC1MH.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\U3QWRVI6.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\U8EUL841.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\UFM8Y4I1.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\VD4JNYVW.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\VZ0PXOK8.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\WUP5Y15E.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\WW8H1YVY.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\X7UWFRRE.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\X8M1KUQX.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\XLO8GMZ9.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\YR8NAX5P.txt
   C:\Users\Layne Donovan\AppData\Roaming\Microsoft\Windows\Cookies\ZPE1LT0C.txt


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:53 AM

Posted 26 March 2014 - 05:56 AM

Hello,

 

Great work! :)

 

Also let's run a check for out of date programs:

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Regards,

Georgi


cXfZ4wS.png


#9 magnet0

magnet0
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 26 March 2014 - 07:47 PM

Georgi, looks like we might be finished here.  Thanks so much for all the help.

 

 Results of screen317's Security Check version 0.99.81 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
Microsoft Security Essentials  
  (On Access scanning disabled!)
 Error obtaining update status for antivirus! 
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 37 
 Java 7 Update 51 
 Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent```````` 
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````
 



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:53 AM

Posted 26 March 2014 - 08:30 PM

Hello,

 

Regarding the last log it seems that Security Center is not running for some reason:

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

Regards,

Georgi


cXfZ4wS.png


#11 magnet0

magnet0
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 27 March 2014 - 07:55 PM

Sorry, Georgi.  I already cleaned up the computer and sent it back to my friend.  I turned back on MSE and some other services that I had turned off.  I advised my friend that he should invest in something like BitDefender and pay for the pro version of MBAM.

 

I am going to say again that I appreciate all of your help in locating the culprit.



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:53 AM

Posted 28 March 2014 - 03:45 AM

Ok,

 

I can go ahead and close this topic then.

 

Just let him know about these things:

 

Windows Security Center service is not running! This report may not be accurate!

 

It's a good idea to start the security center service via Start => services.msc => Security Center (if you didn't start it).
 

Microsoft Security Essentials  
(On Access scanning disabled!)

 

Ok, you said that you already turned MSE on, so this can be ignored then.

 

Error obtaining update status for antivirus!

 

There could be a problem with the WMI...you can check the article below if you need to reset the WMI:

 

http://blogs.technet.com/b/askperf/archive/2009/04/13/wmi-rebuilding-the-wmi-repository.aspx

 

Java™ 6 Update 37
Adobe Reader 9 Adobe Reader out of Date!

 

Let he know to uninstall Java 6 Update 37 and to update Adobe Reader to the latest version => software.gif Download and install: Adobe Reader 11.0.06.

 

My final recommendations are as follows:

 

I advise you to run the following tool to clean the remnants from Java 6

  • Please download JavaRa 2.5 and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Choose Remove JRE and since you already uninstalled JAVA skip step 1 and click on the next button.
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's successfully done, please click OK to close the message.
  • Click on Next and skip the downloading process. Click Next and now click on Close this wizard and click Finish.
  • From the main menu please choose Additional tasks
  • Place a checkmark beside Remove startup entry, Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. The browsers should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please attach the log to your next reply.
  • Close JavaRa by clicking the red cross button.

 

You can choose between 2 variants:

 

1. If you have applications that require Java to be installed on the computer then uninstall the old version of Java and then run JavaRa to remove all remnants and then go ahead and download & install the latest version of Java (Java 8 JRE).

 

2. If you want to be on the safe side then go ahead and uninstall the old version of Java, then run JavaRa to remove all remnants and then remove all applications that require Java (time to learn to live without Java and find alternatives to the applications that require Java)... Check this article.

 

It's your call. smile.png

 

 

To remove all of the tools we used and the files and folders they created, please do the following:

 

 

Please download OTC.exe by OldTimer and save it to your desktop.
 

  • Right-click the OTC.exe and choose Run as Administrator.
  • Click on CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

 

  • Next please download Delfix.exe by Xplode and save it to your desktop.
  • Please start it and check the box next to "Remove disinfection tools" and click on the run button.
  • The tool will delete itself once it finishes.

 

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

 

 

 

Here are my final recommendations:

 

Nicely done ! :bananas: This is the end of our journey if you don't have any more questions.
I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

 

 

Change all your passwords !


Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately including those for bank accounts, credit cards and home loans, PIN codes etc)!! (just in case).

If you're storing password in the browser to access websites than they are non encrypted well (only if you use Firefox with master password protection activated provide better security). So I strongly recommend to change as much password as possible. Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.

Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.If you do Online Banikng please read this article: Online Banking Protection Against Identity Theft

 

 

 

Keep your antivirus software turned on and up-to-date

 

  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.
  • Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.

 

 

Install HIPS based software if needed (or use Limited Account with UAC enabled)

 

I usually recommend to users to install HIPS based software but this type software is only effective in the right hands since it require from the users to take the right decisions.

 

HIPS based software controls what an application is allowed to do and not allowed to do.
It monitors what each application tries to do, how it use the internet and give you the ability to block any suspicious activity occurring on your computer.
In my opinion the best way to prevent an unknown malware from gaining access is to use some HIPS programs (like COMODO Firewall, PrivateFirewall, Online Armor etc.) to control the access rights of legitimate applications, although this would only be advisable for experienced users. (so if you don't feel comfortable using such software then you can skip this advice)

 

However, you should be aware though that (if you install Comodo Firewall and not the whole package Comodo Internet Security) this is not an replacement for a standard antivirus application. It's a great tool to add another layer of protection to your existent antivirus application. Also note that if you have an antivirus installed then you should install Comodo Firewall (and not Comodo Internet Security to avoid conflicts).

 

It takes some time and knowledge to configure it for individual purposes but once done, you should not have a problems with it.
There are so many reviews on YouTube and blogs about all these programs.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.

More information about HIPS can be found here: What is Host Intrusion Prevention System (HIPS) and how does it work?

 
If you like Comodo you should choose for yourself which version of Comodo you will use 5 or 7. Personally I stick to version 5 at least for now.
 

If these kind of programs are difficult for you to use then you can use limited user account (LUA) with UAC enabled. If you need administrative privileges to perform some tasks, then you can use Run As or log on as the administrator account for that specific task.

 

 

Be prepared for CryptoLocker:

 

 

CryptoLocker Ransomware Information Guide and FAQ

Cryptolocker Ransomware: What You Need To Know

New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

 

 

Since the prevention is better than cure you can use gpedit built-in Windows or CryptoPrevent (described in the first link) to secure the PC against this locker.

Another way is to use Comodo Firewall and to add all local disks to Protected Files and Folders

You may want to check HitmanPro.Alert.CryptoGuard and add install it to be safe when surfing the net.

 

 

Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:
 

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that.  Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • .exe, .com, .bat, .pif, .scr or .cmd do not open the attachment unless you know for a fact that it is clean.  For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is.  The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message  or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you.  We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window.  If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

 

 

Tweak your browsers
 
 
MOZILLA FIREFOX


To prevent further infections be sure to install the following add-ons NoScript and AdBlock Plus

 

Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.

 

Adblock Plus can be found here.

 

NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.

 

NoScript can be found here
 

 

Google Chrome

 
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.

However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access

 

 

For Internet Explorer 9/10/11 read the articles below:
 

Security and privacy features in Internet Explorer 9

Enhanced Protected Mode
Use Tracking Protection in Internet Explorer

Security in Internet Explorer 10

 

Immunize your browsers with SpywareBlaster 5 and Spybot Search and Destroy 1.6

Also MBAM acquired the following software Malwarebytes Anti-Exploit and it should work with the most popular browsers. Beware the product is in beta stage.

Changelog can be seen here and known issues here.

 

 
Make the extensions for known file types visible:
 

Be wary of files with a double extension such as jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.

 

 

 

Create an image of your system (you can use the built-in Windows software as well if you prefere)

 

  • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorial on how to create an system image can be found here.
  • The tutorial on how to restore an system image can be found here.
  • Be sure to read the tutorial first.

 

 

Follow this list and your potential for being infected again will reduce dramatically.

Safe Surfing! :)

 

 

Regards,

Georgi


cXfZ4wS.png


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:53 AM

Posted 29 March 2014 - 12:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users