Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer affected by malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 cpotter

cpotter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 27 March 2014 - 12:08 PM

Computer was infected by virus about 1 month ago (Rogue:Win32/FakePAV). 
 
Ran MSE and think I removed above virus.
 
Just ran MBAM and found multiple problems. 
 
Have included DDS logs.  Also attached MBAM log.
 
Thanks in advance for all the great help.
 
Chad
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521
Run by Chad at 11:53:26 on 2014-03-27
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6014.4587 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\explorer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Windows\System32\igfxtray.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = www.dell.com
mStart Page = hxxp://start.mysearchdial.com/?f=1&a=dsites1202&cd=2XzuyEtN2Y1L1Qzu0EtBtCzzzzyDyCzyyB0C0BtCtA0ByC0EtN0D0Tzu0SyBtCyBtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=997218542&ir=
mWinlogon: Userinit = userinit.exe
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
uRun: [WinPatrol] C:\Program Files (x86)\WinPatrol\winpatrol.exe -expressboot
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
mRun: [IndexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe"
mRun: [PPort11reminder] "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
mRun: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
mRun: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
StartupFolder: C:\Users\Chad\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-System: Shell = %windir%\lock.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 208.67.220.220 208.67.222.222
TCP: Interfaces\{522CC9A3-8913-4390-9A52-FEB63846953C} : DHCPNameServer = 208.67.220.220 208.67.222.222
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://start.mysearchdial.com/?f=1&a=dsites1202&cd=2XzuyEtN2Y1L1Qzu0EtBtCzzzzyDyCzyyB0C0BtCtA0ByC0EtN0D0Tzu0SyBtCyBtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=997218542&ir=
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-1-24 16152]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-1-24 55856]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2013-1-24 1695040]
R2 ZAtheros Wlan Agent;ZAtheros Wlan Agent;C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [2013-1-24 73728]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-1-24 331264]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-1-24 356120]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-1-24 788760]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-1-24 565352]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2013/01/23 23:35:13;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2011-8-11 248304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-12 111616]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2012-2-27 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2012-2-27 180736]
S3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\Windows\System32\drivers\nvstusb.sys [2013-1-24 398144]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-1-31 1255736]
.
=============== Created Last 30 ================
.
2014-03-27 14:31:53 10521840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{27AD74A4-601C-4ECE-917C-59F227E85FDF}\mpengine.dll
2014-03-25 13:38:32 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{525EACDF-8894-49ED-89EA-406187D3EACD}\gapaengine.dll
2014-03-25 13:37:56 10521840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-03-25 13:27:19 -------- d-----w- C:\Users\Chad\AppData\Roaming\DropboxMaster
2014-03-12 05:36:07 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-03-12 05:36:07 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-03-12 05:36:06 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-03-12 05:36:06 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-03-07 11:31:54 -------- d-----w- C:\Users\Chad\AppData\Roaming\Malwarebytes
2014-03-07 11:31:44 -------- d-----w- C:\ProgramData\Malwarebytes
2014-03-07 11:31:43 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-07 11:31:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-07 11:31:01 -------- d-----w- C:\Users\Chad\AppData\Roaming\WinPatrol
2014-03-07 11:30:57 -------- d-----w- C:\ProgramData\InstallMate
2014-03-07 11:30:57 -------- d-----w- C:\Program Files (x86)\WinPatrol
2014-03-06 17:19:05 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-03-04 17:44:34 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2014-03-04 17:44:28 -------- d-----w- C:\Program Files\Microsoft Security Client
2014-03-04 17:32:08 -------- d-----w- C:\Program Files (x86)\Revo Uninstaller
2014-03-04 16:38:39 -------- d-----w- C:\ProgramData\SaveSenseLive
2014-02-26 09:01:32 -------- d-----w- C:\Windows\Migration
.
==================== Find3M  ====================
.
2014-03-12 05:22:34 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 05:22:34 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 11:53:37.11 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 PM

Posted 27 March 2014 - 02:51 PM

Good evening. :)

Did you instruct MBAM to remove the detections after you ran the initial scan?


So long, and thanks for all the fish.

 

 


#3 cpotter

cpotter
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 27 March 2014 - 03:00 PM

I did not.  Given volume of problems and some in registry, didn't know if I should delete ALL of these?

 

Should I run MBAM again and remove all detections?

 

Thanks.



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 PM

Posted 27 March 2014 - 05:10 PM

Yes, then let me have the log that MBAM produces.


So long, and thanks for all the fish.

 

 


#5 cpotter

cpotter
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 27 March 2014 - 09:19 PM

Done.  MBAM log:

 

 

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.27.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Chad :: KIDS-DESKTOP [administrator]

3/27/2014 6:20:11 PM
mbam-log-2014-03-27 (18-20-11).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 597562
Time elapsed: 42 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\CLSID\{D40753C7-8A59-4C1F-BE88-C300F4624D5B} (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0} (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
HKCU\Software\InstallCore\1I1T1Q1S (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0A2O0R1R1H2Z1S1G0H1F -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs|Tabs (PUP.Optional.MySearchDial.A) -> Bad: (http://start.mysearchdial.com/?f=2&a=dsites1202&cd=2XzuyEtN2Y1L1Qzu0EtBtCzzzzyDyCzyyB0C0BtCtA0ByC0EtN0D0Tzu0SyBtCyBtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=997218542&ir=) Good: (www.google.com) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.MySearchDial.A) -> Bad: (http://start.mysearchdial.com/?f=1&a=dsites1202&cd=2XzuyEtN2Y1L1Qzu0EtBtCzzzzyDyCzyyB0C0BtCtA0ByC0EtN0D0Tzu0SyBtCyBtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=997218542&ir=) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 10
C:\Users\Chad\AppData\Local\Temp\ct3306061 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\ProgramData\SaveSenseLive (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\ProgramData\SaveSenseLive\Update (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\ProgramData\SaveSenseLive\Update\Log (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\SaveSense (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\SaveSense\UpdateProc (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSenseLive (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSenseLive\CrashReports (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.

Files Detected: 46
C:\Users\Chad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0HHZKQVY\UltimateCodec.exe (PUP.Optional.JumpyApps) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4GQRFY7A\statisticsstub[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K1HYTQ42\conduitinstaller[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OYZOS17I\checktbexist[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Temp\ct3306061\ctbe.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Temp\ct3306061\statisticsStub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Temp\ct3306061\stub.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Temp\is357113909\8483547_stp\HomePageDLL.dll (PUP.Optional.Installcore) -> Quarantined and deleted successfully.
C:\Users\Courtney\Downloads\FLVPlayerSetup-9KHr61H.exe (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
C:\Users\Ethan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7H7MJEDR\SweetIMSetup_20130903[1].exe (PUP.Optional.SweetIM.A) -> Quarantined and deleted successfully.
C:\Users\Ethan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IIVLJT4K\OptimizerPro[1].exe (PUP.Optional.OptimizerPro.A) -> Quarantined and deleted successfully.
C:\Users\Ethan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPOZP8IL\linksicle-setup-1.8.2.0[1].exe (PUP.Optional.Linksicle) -> Quarantined and deleted successfully.
C:\Users\Ethan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQ4E0KTY\jenkatarcade_d3425290.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
C:\Users\Ethan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSH7SCBW\jenkatarcade.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
C:\Users\Ethan\AppData\Local\Temp\ICReinstall_CodecPackage.exe (PUP.Optional.JumpyApps) -> Quarantined and deleted successfully.
C:\Users\Ethan\AppData\Roaming\ShopAtHome\ShopAtHomeAppInstaller_C102824198_D1_R1048080.exe (PUP.Optional.ShopAtHome.A) -> Quarantined and deleted successfully.
C:\Users\Ethan\Downloads\ArcadeFrontierGames.exe (PUP.Optional.ArcadeFrontier.A) -> Quarantined and deleted successfully.
C:\Users\Ethan\Downloads\RollerCoaster Tycoon 3.exe (PUP.Optional.Firseria) -> Quarantined and deleted successfully.
C:\Users\Ethan\Downloads\vioplayerv.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\069E2YYF\live-kazika-aquarium-screensaver_setup.exe (PUP.Optional.InstallCore) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8VT67AHZ\7zip_14371_stn2.exe (PUP.Optional.SafeInstall.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OP1W9BPC\7zip_14378_stn.exe (PUP.Optional.SafeInstall.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense\SaveSenseIE.dll (PUP.Optional.SaveSence.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\Temp\HomePageDLL.dll.171760127 (PUP.Optional.Installcore) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\Temp\sas.exe.171760127 (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\Temp\{B156D437-7E48-4686-A6FE-112FF771F942}\o-update\SaveSenseLive.exe (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\Downloads\KazikaScrSetup.exe (PUP.Optional.OutBrowse) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pflphaooapbgpeakohlggbpidpppgdff_0.localstorage (PUP.Optional.FunMoods.A) -> Quarantined and deleted successfully.
C:\Users\Ethan\AppData\Roaming\data.sec (Malware.Trace.E) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Temp\ct3306061\chromeid.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Chad\AppData\Local\Temp\ct3306061\setup.ini.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\ProgramData\SaveSenseLive\Update\Log\SaveSenseLive.log (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\SaveSense\UpdateProc\config.dat (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\SaveSense\UpdateProc\STTL.DAT (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\SaveSense\UpdateProc\TTL.DAT (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\SaveSense\UpdateProc\UpdateTask.exe (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense\SaveSense Help.url (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense\SaveSense.url (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense\Uninstall SaveSense.lnk (PUP.Optional.SaveSense) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense\icon.ico (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense\installer_icon.ico (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense\SaveSense.crx (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense\SaveSense.xpi (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense\SaveSenseIE64.dll (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense\SaveSenseUpdateVer.exe (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.
C:\Users\Wendy\AppData\Local\SaveSense\uninst.exe (PUP.Optional.SaveSense.A) -> Quarantined and deleted successfully.

(end)



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 PM

Posted 28 March 2014 - 02:50 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the Run ESET Online Scanner button.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.


Will you also throw in a fresh DDS log and let me know how the PC is behaving.


So long, and thanks for all the fish.

 

 


#7 cpotter

cpotter
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 30 March 2014 - 08:29 PM

Computer seems to be running OK.

 

ESET:

C:\Dropbox\Downloads\Nero 6.3.0.3  Keygen.ZIP a variant of Win32/Keygen.CY potentially unsafe application
C:\Dropbox\Downloads\PC Diagnostics\Ultimate Boot CD.iso Win32/PSWTool.KonBoot.A potentially unsafe application
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Users\Chad\AppData\Local\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Ethan\AppData\Local\Temp\{EAC9D6D6-DB52-4693-98DE-78902D2FC9BB}\setup.exe multiple threats

 

DDS:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521
Run by Chad at 20:27:35 on 2014-03-30
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6014.3774 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\explorer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil64_12_0_0_77_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = www.dell.com
mStart Page = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
uRun: [WinPatrol] C:\Program Files (x86)\WinPatrol\winpatrol.exe -expressboot
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
mRun: [IndexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe"
mRun: [PPort11reminder] "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
mRun: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
mRun: [DivXMediaServer] C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
StartupFolder: C:\Users\Chad\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-System: Shell = %windir%\lock.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 208.67.220.220 208.67.222.222
TCP: Interfaces\{522CC9A3-8913-4390-9A52-FEB63846953C} : DHCPNameServer = 208.67.220.220 208.67.222.222
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://start.mysearchdial.com/?f=1&a=dsites1202&cd=2XzuyEtN2Y1L1Qzu0EtBtCzzzzyDyCzyyB0C0BtCtA0ByC0EtN0D0Tzu0SyBtCyBtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=997218542&ir=
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-1-24 16152]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2013-1-24 55856]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2013-1-24 1695040]
R2 ZAtheros Wlan Agent;ZAtheros Wlan Agent;C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [2013-1-24 73728]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-1-24 331264]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-1-24 356120]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-1-24 788760]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-1-24 565352]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2013/01/23 23:35:13;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2011-8-11 248304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-12 111616]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2012-2-27 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2012-2-27 180736]
S3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\Windows\System32\drivers\nvstusb.sys [2013-1-24 398144]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-1-31 1255736]
.
=============== Created Last 30 ================
.
2014-03-30 03:02:31 1031560 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{734C6FB0-36D2-4ECF-86B2-32BFF71CB9B8}\gapaengine.dll
2014-03-30 03:01:37 10521840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9B991F23-4102-4278-B9D7-1FF1EEE16DAD}\mpengine.dll
2014-03-30 02:51:34 -------- d-----w- C:\Program Files (x86)\ESET
2014-03-27 14:31:53 10521840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-03-25 13:38:32 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{525EACDF-8894-49ED-89EA-406187D3EACD}\gapaengine.dll
2014-03-25 13:27:19 -------- d-----w- C:\Users\Chad\AppData\Roaming\DropboxMaster
2014-03-12 05:36:07 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-03-12 05:36:07 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-03-12 05:36:06 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-03-12 05:36:06 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-03-07 11:31:54 -------- d-----w- C:\Users\Chad\AppData\Roaming\Malwarebytes
2014-03-07 11:31:44 -------- d-----w- C:\ProgramData\Malwarebytes
2014-03-07 11:31:43 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-07 11:31:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-07 11:31:01 -------- d-----w- C:\Users\Chad\AppData\Roaming\WinPatrol
2014-03-07 11:30:57 -------- d-----w- C:\ProgramData\InstallMate
2014-03-07 11:30:57 -------- d-----w- C:\Program Files (x86)\WinPatrol
2014-03-06 17:19:05 1031560 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-03-04 17:44:34 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2014-03-04 17:44:28 -------- d-----w- C:\Program Files\Microsoft Security Client
2014-03-04 17:32:08 -------- d-----w- C:\Program Files (x86)\Revo Uninstaller
.
==================== Find3M  ====================
.
2014-03-12 05:22:34 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 05:22:34 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 20:27:55.59 ===============
 

Attached Files



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 PM

Posted 31 March 2014 - 03:23 PM

Good evening. :)

Download TFC (Temporary File Cleaner) by OldTimer from here and save it to your Desktop.
 

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

 

The only other thing I see is:

 

C:\Dropbox\Downloads\Nero 6.3.0.3  Keygen.ZIP a variant of Win32/Keygen.CY potentially unsafe application

 

It's not recommended to use keygens due to he risk of malicious code being found in them - i'd delete it.


So long, and thanks for all the fish.

 

 


#9 cpotter

cpotter
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 31 March 2014 - 08:41 PM

Ran TFC without problems.

 

Deleted Keygen.

 

Anything else I need to do?  Or are we clean?

 

Thanks so much for the help.



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 PM

Posted 01 April 2014 - 01:14 PM

Good evening. :)

I'd say that you were good to go.


So long, and thanks for all the fish.

 

 


#11 cpotter

cpotter
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 01 April 2014 - 02:47 PM

Thanks for all the help!



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:39 PM

Posted 02 April 2014 - 02:35 PM

As this issue appears to have been resolved, this thread is now closed.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users