Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with mutliple malware, Cidox,Trojan-Spy.Win32.Zbot,Infected svchost.exe


  • This topic is locked This topic is locked
15 replies to this topic

#1 Outlaw Paxton

Outlaw Paxton

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 16 April 2014 - 03:30 AM

Already did some scans with tdsskiller and hitmanpro and they detected Trojan-Spy.Win32.Zbot, Rootkit.Win32.PMax.gen, and rootkit boot.cidox.b, I'm not sure how this machine got so badly infected. The user may have opened a link or some file by accident.

 

The infected svchost.exe is causing the most problems, creating multiple various connections and slowing down the internet connection. Explorer.exe would also crash and would create connections as well. Internet explorer would pop up to back-linking websites.

 

No restore cd for this computer. Although I do have a copy of xp meant for dell machines and this is a dell.

 

Just need to know how i can stop the svchost.exe from creating connections.

 

dds attached

Attached File  dds1.txt   9.67KB   1 downloads


Edited by Outlaw Paxton, 16 April 2014 - 03:32 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:28 AM

Posted 16 April 2014 - 04:10 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Regards,

Georgi


cXfZ4wS.png


#3 Outlaw Paxton

Outlaw Paxton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 16 April 2014 - 11:10 PM

See next reply.


Edited by Outlaw Paxton, 17 April 2014 - 05:35 AM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:28 AM

Posted 17 April 2014 - 01:14 AM

Hello,

 

Please don't edit the user names because the script is not going to work due to wrong filepath.

Also don't try to repair it on your own as this can mess the cleanup process!

Run a new scan with FRST (make sure that Addition.txt is checked) and post the fresh logs in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 Outlaw Paxton

Outlaw Paxton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 April 2014 - 05:44 AM

Hello,

 

Please don't edit the user names because the script is not going to work due to wrong filepath.

Also don't try to repair it on your own as this can mess the cleanup process!

Run a new scan with FRST (make sure that Addition.txt is checked) and post the fresh logs in your next reply.

 

 

Regards,

Georgi

Ok well since it isn't showing their full name anyway, I guess I will post it. Although I'd like to ask what script did you mean? Is it one you run? Anyway here is the log, Below is the screen shot from tcp view as well.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-04-2014
Ran by BWILLIAMS (administrator) on CB5E14 on 17-04-2014 06:27:01
Running from C:\temp1\AV + ANTIMALWARE
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
() C:\Program Files\Common Files\DesktopUtil\MCTDesktopSvr.exe
() C:\Program Files\MCT\VGA0007\Utility\MCTUISvr.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Magic Control Technology Corporation) C:\Program Files\MCT\VGA0007\Utility\mxvgautil.exe
(Magic Control Technology Corporation) C:\Program Files\Common Files\DesktopUtil\FDispPos.exe
(TODO: <Company name>) C:\Program Files\MCT\VGA0007\Utility\MCTCIDUtil.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Magic Control Technology Corporation) C:\Program Files\Common Files\DesktopUtil\MCTDUtil.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Avanquest USA LLC) C:\Program Files\MySoftware\MyInvoices\tracker.exe
(ScanSoft, Inc.) C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
() C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
(Sony Corporation) C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
() C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Magic Control Technology Corporation) C:\Program Files\Common Files\DesktopUtil\MCTDUtil.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Magic Control Technology Corporation) C:\Program Files\Common Files\DesktopUtil\FDispPos.exe
(Magic Control Technology Corporation) C:\Program Files\MCT\VGA0007\Utility\mxvgautil.exe
(TODO: <Company name>) C:\Program Files\MCT\VGA0007\Utility\MCTCIDUtil.exe
(ScanSoft, Inc.) C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
() C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
(Sony Corporation) C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
() C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1044480 2009-06-22] (Analog Devices, Inc.)
HKLM\...\Run: [MCTDUtil] => C:\Program Files\Common Files\DesktopUtil\Util-Desktop.exe [188416 2010-04-26] ()
HKLM\...\Run: [FDispPos] => C:\Program Files\Common Files\DesktopUtil\Util-Desktop.exe [188416 2010-04-26] ()
HKLM\...\Run: [mxvgautil] => C:\Program Files\MCT\VGA0007\Utility\Util-VGA0900.exe [188416 2010-04-22] ()
HKLM\...\Run: [UTIL-VGA0900] => C:\Program Files\MCT\VGA0007\Utility\UTIL-VGA0900.exe [188416 2010-04-22] ()
HKLM\...\Run: [Tracker] => C:\Program Files\MySoftware\MyInvoices\tracker.exe [126976 2006-07-21] (Avanquest USA LLC)
HKLM\...\Run: [SSBkgdUpdate] => C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [185896 2006-09-28] (Nuance Communications, Inc.)
HKLM\...\Run: [OpwareSE4] => C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [75304 2006-10-11] (ScanSoft, Inc.)
HKLM\...\Run: [WrtMon.exe] => C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [ContentTransferWMDetector.exe] => C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe [583016 2009-11-19] (Sony Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Documents and Settings\BWILLIAMS\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKCU - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

FireFox:
========
FF ProfilePath: C:\Documents and Settings\BWILLIAMS\Application Data\Mozilla\Firefox\Profiles\g7obfg58.default
FF NewTab: about:blank
FF Homepage: https://www.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: DownloadHelper - C:\Documents and Settings\BWILLIAMS\Application Data\Mozilla\Firefox\Profiles\g7obfg58.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-04-13]
FF Extension: Adblock Plus - C:\Documents and Settings\BWILLIAMS\Application Data\Mozilla\Firefox\Profiles\g7obfg58.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-08-20]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011-05-17]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []

========================== Services (Whitelisted) =================

R2 6to4; C:\WINDOWS\System32\6to4svc.dll [100864 2010-02-12] (Microsoft Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2011-10-03] (Sun Microsystems, Inc.)
R2 MCTDesktopSvr; C:\Program Files\Common Files\DesktopUtil\MCTDesktopSvr.exe [192512 2010-04-26] ()
R2 MCTUISvr; C:\Program Files\MCT\VGA0007\Utility\MCTUISvr.exe [192512 2010-07-02] ()
S3 JRX; C:\DOCUME~1\BWILLI~1\LOCALS~1\Temp\JRX.exe [X]

==================== Drivers (Whitelisted) ====================

S3 A5AGU; C:\WINDOWS\System32\DRIVERS\A5AGU.sys [386784 2008-06-13] (D-Link Corporation)
R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21035 2011-10-29] (Meetinghouse Data Communications)
R2 EAPPkt; C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [38144 2006-11-15] (Windows ® 2000 DDK provider)
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [30976 2014-04-16] ()
R3 HPFXBULK; C:\WINDOWS\System32\drivers\hpfxbulk.sys [17432 2007-07-16] (Hewlett Packard)
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2008-04-13] (Microsoft Corporation)
S3 rt2870; C:\WINDOWS\System32\DRIVERS\Drt2870.sys [829152 2010-05-06] (Ralink Technology, Corp.)
S3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
R1 Tcpip6; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
R3 xMrMINI; C:\WINDOWS\System32\DRIVERS\xMrMini.sys [256768 2010-06-23] (Magic Control Technology Corp.)
R3 xVGAMINI; C:\WINDOWS\System32\DRIVERS\xVgaMini.sys [260480 2010-06-23] (Magic Control Technology Corp.)
S3 xVGAUSB; C:\WINDOWS\System32\drivers\xvgausb.sys [41984 2010-01-25] (Magic Control Technology Corp.)
S3 catchme; \??\C:\DOCUME~1\BWILLI~1\LOCALS~1\Temp\catchme.sys [X]
S4 IntelIde; No ImagePath
S3 RTLWUSB; system32\DRIVERS\RTL8187.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () <===== ATTENTION Necurs Rootkit?

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-17 05:54 - 2014-04-17 05:54 - 00000767 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
2014-04-17 05:54 - 2014-04-17 05:54 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-04-17 05:54 - 2014-04-17 05:54 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Scansoft
2014-04-17 05:53 - 2014-04-17 05:58 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-04-17 05:53 - 2014-04-17 05:54 - 00000738 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.lnk
2014-04-17 05:53 - 2014-04-17 05:54 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-04-17 05:53 - 2014-04-17 05:53 - 00000792 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2014-04-17 05:53 - 2014-04-17 05:53 - 00000432 __RSH () C:\Documents and Settings\Administrator\ntuser.pol
2014-04-17 05:53 - 2014-04-17 05:53 - 00000394 _____ () C:\WINDOWS\wmsetup.log
2014-04-17 05:53 - 2014-04-17 05:53 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-04-17 05:53 - 2011-05-17 21:57 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Macromedia
2014-04-17 05:53 - 2011-05-17 19:28 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2014-04-17 01:36 - 2014-04-17 01:36 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-04-17 01:29 - 2008-04-13 20:12 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\system32\Copy (3) of svchost.exe
2014-04-17 01:28 - 2014-04-17 01:28 - 00000000 ____D () C:\Program Files\Unlocker
2014-04-16 23:40 - 2014-04-17 06:23 - 00000000 ____D () C:\FRST
2014-04-16 13:47 - 2008-04-14 06:42 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\system32\svchost.exe
2014-04-16 04:43 - 2014-04-16 04:43 - 00030976 _____ () C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2014-04-16 04:36 - 2014-04-16 04:36 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-04-16 03:28 - 2014-04-16 03:28 - 00000000 ____D () C:\Program Files\ESET
2014-04-16 03:16 - 2014-04-16 03:16 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2014-04-16 02:36 - 2014-04-16 02:36 - 00448512 _____ (OldTimer Tools) C:\TFC.exe
2014-04-14 03:35 - 2008-04-13 20:12 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\system32\Copy of svchost.exe
2014-04-14 03:23 - 2014-04-17 01:50 - 00000000 ____D () C:\AdwCleaner
2014-04-14 03:20 - 2014-04-14 03:20 - 00000000 ____D () C:\Program Files\HitmanPro
2014-04-14 03:19 - 2014-04-16 03:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-04-14 01:50 - 2014-04-14 01:50 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-04-14 00:20 - 2014-04-14 00:20 - 00000000 ____D () C:\Program Files\Magical Jelly Bean
2014-04-14 00:15 - 2014-04-14 00:15 - 00090112 _____ () C:\WINDOWS\Minidump\Mini041414-01.dmp
2014-04-13 22:15 - 2008-04-13 20:12 - 01033728 _____ (Microsoft Corporation) C:\WINDOWS\Copy of explorer.exe
2014-04-13 22:12 - 2014-04-14 04:43 - 00004880 _____ () C:\WINDOWS\setupapi.log
2014-04-13 22:10 - 2014-04-14 01:35 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVAST Software
2014-04-13 21:49 - 2014-04-14 02:08 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-04-13 21:48 - 2014-04-14 03:22 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-13 21:48 - 2014-04-13 21:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-04-13 21:48 - 2014-04-03 09:51 - 00050648 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-04-13 21:48 - 2014-04-03 09:50 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-04-13 21:30 - 2014-04-13 21:50 - 00000078 _____ () C:\WINDOWS\wininit.ini
2014-04-13 21:29 - 2014-04-17 06:20 - 00085506 _____ () C:\WINDOWS\WindowsUpdate.log
2014-04-13 21:27 - 2014-04-13 22:02 - 00065536 _____ () C:\WINDOWS\system32\config\SpybotSD.evt
2014-04-13 21:27 - 2014-04-13 21:50 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2014-04-13 21:14 - 2014-04-13 21:14 - 00000000 ____D () C:\Program Files\Hijackthis
2014-04-13 20:52 - 2014-04-13 20:52 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-13 20:45 - 2014-04-13 20:45 - 00000754 _____ () C:\WINDOWS\WORDPAD.INI
2014-04-13 20:24 - 2014-04-17 01:59 - 00000075 _____ () C:\WINDOWS\system32\avwuvx.aty
2014-04-13 20:20 - 2014-04-13 20:20 - 00000724 ____N () C:\Documents and Settings\BWILLIAMS\Desktop\firefox.lnk
2014-04-13 20:12 - 2014-04-13 20:12 - 00000064 _____ () C:\WINDOWS\system32\bgjsxvc.uar
2014-04-13 20:12 - 2014-04-13 20:12 - 00000000 _____ () C:\WINDOWS\system32\fiqc.pon
2014-04-13 20:11 - 2014-04-13 20:11 - 00234918 ____S () C:\WINDOWS\system32\upois.jab

==================== One Month Modified Files and Folders =======

2014-04-17 06:23 - 2014-04-16 23:40 - 00000000 ____D () C:\FRST
2014-04-17 06:22 - 2011-05-17 19:38 - 00000178 ___SH () C:\Documents and Settings\BWILLIAMS\ntuser.ini
2014-04-17 06:20 - 2014-04-13 21:29 - 00085506 _____ () C:\WINDOWS\WindowsUpdate.log
2014-04-17 06:19 - 2011-05-17 19:37 - 00032606 _____ () C:\WINDOWS\SchedLgU.Txt
2014-04-17 06:19 - 2011-05-17 19:37 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-04-17 06:19 - 2011-05-17 15:22 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-04-17 06:19 - 2011-05-17 15:22 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-04-17 05:58 - 2014-04-17 05:53 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-04-17 05:54 - 2014-04-17 05:54 - 00000767 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
2014-04-17 05:54 - 2014-04-17 05:54 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-04-17 05:54 - 2014-04-17 05:54 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Scansoft
2014-04-17 05:54 - 2014-04-17 05:53 - 00000738 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.lnk
2014-04-17 05:54 - 2014-04-17 05:53 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-04-17 05:53 - 2014-04-17 05:53 - 00000792 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2014-04-17 05:53 - 2014-04-17 05:53 - 00000432 __RSH () C:\Documents and Settings\Administrator\ntuser.pol
2014-04-17 05:53 - 2014-04-17 05:53 - 00000394 _____ () C:\WINDOWS\wmsetup.log
2014-04-17 05:53 - 2014-04-17 05:53 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-04-17 05:52 - 2013-08-20 01:03 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-04-17 01:59 - 2014-04-13 20:24 - 00000075 _____ () C:\WINDOWS\system32\avwuvx.aty
2014-04-17 01:55 - 2011-05-17 19:38 - 00000000 ____D () C:\Documents and Settings\BWILLIAMS
2014-04-17 01:50 - 2014-04-14 03:23 - 00000000 ____D () C:\AdwCleaner
2014-04-17 01:42 - 2013-08-19 21:34 - 00000000 ____D () C:\temp1
2014-04-17 01:36 - 2014-04-17 01:36 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-04-17 01:28 - 2014-04-17 01:28 - 00000000 ____D () C:\Program Files\Unlocker
2014-04-16 04:43 - 2014-04-16 04:43 - 00030976 _____ () C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2014-04-16 04:36 - 2014-04-16 04:36 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-04-16 03:28 - 2014-04-16 03:28 - 00000000 ____D () C:\Program Files\ESET
2014-04-16 03:16 - 2014-04-16 03:16 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2014-04-16 03:16 - 2014-04-14 03:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-04-16 02:36 - 2014-04-16 02:36 - 00448512 _____ (OldTimer Tools) C:\TFC.exe
2014-04-15 14:39 - 2013-01-22 11:09 - 23789568 ____R () C:\Documents and Settings\BWILLIAMS\My Documents\The Copier Place.QBW.TLG
2014-04-15 14:39 - 2013-01-22 11:09 - 10563584 ____R () C:\Documents and Settings\BWILLIAMS\My Documents\The Copier Place.QBW
2014-04-15 14:39 - 2013-01-22 11:09 - 00000372 _____ () C:\Documents and Settings\BWILLIAMS\My Documents\The Copier Place.QBW.nd
2014-04-15 11:09 - 2013-01-19 17:10 - 00000184 _____ () C:\WINDOWS\hpbafd.ini
2014-04-14 04:43 - 2014-04-13 22:12 - 00004880 _____ () C:\WINDOWS\setupapi.log
2014-04-14 03:58 - 2011-05-17 19:26 - 00000000 ____D () C:\WINDOWS\Registration
2014-04-14 03:52 - 2011-11-11 17:01 - 00000000 ____D () C:\WINDOWS\system32\NtmsData
2014-04-14 03:25 - 2013-07-03 16:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB973687_1$
2014-04-14 03:22 - 2014-04-13 21:48 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-14 03:20 - 2014-04-14 03:20 - 00000000 ____D () C:\Program Files\HitmanPro
2014-04-14 02:25 - 2004-08-04 06:00 - 00000930 _____ () C:\WINDOWS\win.ini
2014-04-14 02:22 - 2011-05-17 19:58 - 00002483 ____N () C:\Documents and Settings\BWILLIAMS\Desktop\Microsoft Office PowerPoint 2007.lnk
2014-04-14 02:22 - 2011-05-17 19:58 - 00002443 ____N () C:\Documents and Settings\BWILLIAMS\Desktop\Microsoft Office Publisher 2007.lnk
2014-04-14 02:08 - 2014-04-13 21:49 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-04-14 01:50 - 2014-04-14 01:50 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-04-14 01:50 - 2011-05-17 19:58 - 00065536 _____ () C:\WINDOWS\system32\config\ODiag.evt
2014-04-14 01:35 - 2014-04-13 22:10 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVAST Software
2014-04-14 00:20 - 2014-04-14 00:20 - 00000000 ____D () C:\Program Files\Magical Jelly Bean
2014-04-14 00:15 - 2014-04-14 00:15 - 00090112 _____ () C:\WINDOWS\Minidump\Mini041414-01.dmp
2014-04-14 00:15 - 2013-10-24 02:58 - 00000000 __SHD () C:\WINDOWS\CSC
2014-04-14 00:11 - 2011-05-22 15:16 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-04-13 23:48 - 2013-08-21 04:20 - 00008192 ____N () C:\Documents and Settings\BWILLIAMS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-04-13 22:03 - 2013-11-25 00:36 - 00000000 ____D () C:\Documents and Settings\BWILLIAMS\Local Settings\Application Data\Kqgics
2014-04-13 22:02 - 2014-04-13 21:27 - 00065536 _____ () C:\WINDOWS\system32\config\SpybotSD.evt
2014-04-13 22:02 - 2011-05-18 16:59 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB974392_0$
2014-04-13 22:02 - 2011-05-17 15:20 - 00513964 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-04-13 21:50 - 2014-04-13 21:30 - 00000078 _____ () C:\WINDOWS\wininit.ini
2014-04-13 21:50 - 2014-04-13 21:27 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2014-04-13 21:48 - 2014-04-13 21:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-04-13 21:33 - 2011-05-17 15:18 - 00000245 ___SH () C:\boot.ini
2014-04-13 21:14 - 2014-04-13 21:14 - 00000000 ____D () C:\Program Files\Hijackthis
2014-04-13 20:57 - 2013-10-24 02:53 - 00000000 ____D () C:\Documents and Settings\BWILLIAMS\Application Data\uTorrent
2014-04-13 20:57 - 2011-06-20 14:05 - 00000000 ____D () C:\WINDOWS\Minidump
2014-04-13 20:52 - 2014-04-13 20:52 - 00000000 ____D () C:\Program Files\CCleaner
2014-04-13 20:45 - 2014-04-13 20:45 - 00000754 _____ () C:\WINDOWS\WORDPAD.INI
2014-04-13 20:20 - 2014-04-13 20:20 - 00000724 ____N () C:\Documents and Settings\BWILLIAMS\Desktop\firefox.lnk
2014-04-13 20:12 - 2014-04-13 20:12 - 00000064 _____ () C:\WINDOWS\system32\bgjsxvc.uar
2014-04-13 20:12 - 2014-04-13 20:12 - 00000000 _____ () C:\WINDOWS\system32\fiqc.pon
2014-04-13 20:11 - 2014-04-13 20:11 - 00234918 ____S () C:\WINDOWS\system32\upois.jab
2014-04-13 20:09 - 2004-08-04 06:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-04-03 09:51 - 2014-04-13 21:48 - 00050648 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-04-03 09:50 - 2014-04-13 21:48 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
ZeroAccess:
C:\Documents and Settings\BWILLIAMS\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Documents and Settings\BWILLIAMS\Local Settings\temp\bitool.dll
C:\Documents and Settings\BWILLIAMS\Local Settings\temp\ntdll_dump.dll


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll
[2004-08-04 06:00] - [2009-02-09 08:10] - 0403968 ____A (Microsoft Corporation) 7342bce7e733b6fc1a53e2f345b1870d

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Attached Files



#6 Outlaw Paxton

Outlaw Paxton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 April 2014 - 05:46 AM

The Screen shot of the svchost.exe creating connections. I noticed this virus/trojan can also run in safe mode with networking as well. It eats up network speed creating hundreds of connections to a webserver as you can see. I also had problems with explorer.exe creating network connections as well, and after 2 mins of logging in explorer.exe would crash and restart and internet explorer would pop-up to back-linking websites. If i didn't delete the explorer.exe and re-write it i wouldn't have been able to post because of the lag it made. So it's half fixed. I already ran TDSSKILLER and HITMANPRO, ROUGEKILLER, AdwCleaner, MALWAREBYTES.

 

Because I thought this was a hacker connecting to the computer i tried to stop it right away by disconnecting from the internet, thats usually the first thing you do with these kind of viruses/trojans so they dont spread to the network.

 

Another rootkit this machine was infected with which was picked up by tddskiller was Rootkit.Win32.PMax.gen

 

So far the tools i scanned with has detected Rootkit.Win32.PMax.gen, Rootkit.boot.cidox.b, Trojan-Spy.Win32.Zbot,rpcss.dll, and svchost.exe.

 

Z90u6kC.png


Edited by Outlaw Paxton, 17 April 2014 - 06:13 AM.


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:28 AM

Posted 17 April 2014 - 05:53 AM

I see where the problem is. :)

 

  • Please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

Regards,

Georgi


cXfZ4wS.png


#8 Outlaw Paxton

Outlaw Paxton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 April 2014 - 06:00 AM

Farbar Recovery Scan Tool (x86) Version: 17-04-2014
Ran by BWILLIAMS at 2014-04-17 06:59:36
Running from C:\temp1\AV + ANTIMALWARE
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\WINDOWS\system32\rpcss.dll
[2004-08-04 06:00] - [2009-02-09 08:10] - 0403968 ____A (Microsoft Corporation) 7342bce7e733b6fc1a53e2f345b1870d

C:\WINDOWS\system32\dllcache\rpcss.dll
[2011-05-17 21:50] - [2009-02-09 08:10] - 0403968 ___AC (Microsoft Corporation) af78cb35ca2128804619b753b0110597

C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2013-01-07 15:28] - [2008-04-13 20:12] - 0399360 ____N (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\erdnt\cache\rpcss.dll
[2012-12-21 14:47] - [2009-02-09 06:01] - 0401408 ____A (Microsoft Corporation) 24b5d53b9accc1e2edcf0a878d6659d4

C:\WINDOWS\$NtUninstallKB956572_0$\rpcss.dll
[2011-05-18 17:01] - [2004-08-04 06:00] - 0395776 ____C (Microsoft Corporation) 5c83a4408604f737717ab96371201680

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2013-07-03 16:41] - [2008-04-13 20:12] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
[2013-07-03 16:33] - [2009-02-09 06:01] - 0401408 ____C (Microsoft Corporation) 24b5d53b9accc1e2edcf0a878d6659d4

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2011-05-17 21:50] - [2009-02-09 06:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\rpcss.dll
[2011-05-17 21:50] - [2009-02-09 08:10] - 0401408 ____A (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c

=== End Of Search ===



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:28 AM

Posted 17 April 2014 - 02:36 PM

Hi,

 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

 

 
Regards,
Georgi


cXfZ4wS.png


#10 Outlaw Paxton

Outlaw Paxton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 April 2014 - 04:18 PM

What will this tool do when I run the fix? Will this run a script you gave me with the fixlist.txt? What will it do exactly?
 
And what do I do next after i post the log?

Edited by Outlaw Paxton, 17 April 2014 - 05:13 PM.


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:28 AM

Posted 17 April 2014 - 05:45 PM

What will this tool do when I run the fix? Will this run a script you gave me with the fixlist.txt?

 

Yes, this will launch the fix I prepared for your system to remove the infection.

 

And what do I do next after i post the log?

Waiting for my next set of instructions and telling me if the issue with the outbound connections is still there...

 

 

Regards,

Georgi


cXfZ4wS.png


#12 Outlaw Paxton

Outlaw Paxton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 17 April 2014 - 07:05 PM

 

What will this tool do when I run the fix? Will this run a script you gave me with the fixlist.txt?

 

Yes, this will launch the fix I prepared for your system to remove the infection.

 

And what do I do next after i post the log?

Waiting for my next set of instructions and telling me if the issue with the outbound connections is still there...

 

 

Regards,

Georgi

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 17-04-2014
Ran by BWILLIAMS at 2014-04-17 16:23:57 Run:2
Running from C:\Documents and Settings\BWILLIAMS\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
SearchScopes: HKLM - DefaultScope value is missing.
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset catalog
S3 JRX; C:\DOCUME~1\BWILLI~1\LOCALS~1\Temp\JRX.exe [X]
S3 catchme; \??\C:\DOCUME~1\BWILLI~1\LOCALS~1\Temp\catchme.sys [X]
2014-04-13 20:24 - 2014-04-17 01:59 - 00000075 _____ () C:\WINDOWS\system32\avwuvx.aty
2014-04-13 20:12 - 2014-04-13 20:12 - 00000064 _____ () C:\WINDOWS\system32\bgjsxvc.uar
2014-04-13 20:12 - 2014-04-13 20:12 - 00000000 _____ () C:\WINDOWS\system32\fiqc.pon
2014-04-13 20:11 - 2014-04-13 20:11 - 00234918 ____S () C:\WINDOWS\system32\upois.jab
C:\Documents and Settings\BWILLIAMS\Local Settings\Application Data\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
Replace: C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll C:\WINDOWS\system32\rpcss.dll
Unlock: C:\WINDOWS\system32\dllcache
Replace: C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll C:\WINDOWS\system32\dllcache\rpcss.dll
C:\Documents and Settings\BWILLIAMS\Local Settings\temp
Reboot:
end

*****************

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll

=========  netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.


========= End of CMD: =========

JRX => Service deleted successfully.
catchme => Service deleted successfully.
"C:\WINDOWS\system32\avwuvx.aty" => File/Directory not found.
"C:\WINDOWS\system32\bgjsxvc.uar" => File/Directory not found.
Could not move "C:\WINDOWS\system32\fiqc.pon" => Scheduled to move on reboot.
Could not move "C:\WINDOWS\system32\upois.jab" => Scheduled to move on reboot.
C:\Documents and Settings\BWILLIAMS\Local Settings\Application Data\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Moved successfully.
C:\WINDOWS\system32\rpcss.dll => Moved successfully.
C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll copied successfully to C:\WINDOWS\system32\rpcss.dll
"C:\WINDOWS\system32\dllcache" => File/Directory unlocked successfully.
C:\WINDOWS\system32\dllcache\rpcss.dll => Moved successfully.
C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll copied successfully to C:\WINDOWS\system32\dllcache\rpcss.dll
C:\Documents and Settings\BWILLIAMS\Local Settings\temp => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Safe Mode (with Networking)) (Date&Time: 2014-04-17 16:25:15)<=

C:\WINDOWS\system32\fiqc.pon => Is moved successfully.
C:\WINDOWS\system32\upois.jab => Is moved successfully.

==== End of Fixlog ====

 

Looks like the svchost stopped making connections but the web connection still is slow. Several pages have the loading icon spinning for a few minutes on firefox.

 

Pages may load, but load slowly sometimes after the fix.

 

[Edit/Update]This may have just been the connection, it may have not been running optimimumly.

 

So this script reset the winsock to the default settings, deleted the files listed and moved some files.


Edited by Outlaw Paxton, 18 April 2014 - 01:40 AM.


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:28 AM

Posted 18 April 2014 - 01:35 AM

Hello,

 

Please run a new scan with FRST and post the results in your next reply.

About the slow internet connection try the following:

 

1. Clean temporary files and Mozilla cache files.

2. Update the network drivers (there may have some problems with this one - S3 RTLWUSB; system32\DRIVERS\RTL8187.sys [X] - it is reported as missing by FRST).

3. Reset your router if you use a such.

4. Reset the network settings using the following tool => Complete Internet Repair

5. Reset Mozilla Firefox settings to default => click here

6. Launch Mozilla with add-ons disabled.

7. Reinstall Mozilla.

8. Run a ping and trace route test to see where the issue is occurring.

 

 

  • Please download MiniToolBox.exe by Farbar save it to your desktop and run it.
  • Checkmark all boxes.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.


Note: When using "Reset FF Proxy Settings" option Firefox should be closed!

 

 

9. Also I want to check the content of a folder.

Download and run the batch below and post back the results:

 

10.If nothing help you may need to call your ISP for assistance.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 18 April 2014 - 01:36 AM.

cXfZ4wS.png


#14 Outlaw Paxton

Outlaw Paxton
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 21 April 2014 - 01:46 AM

Well a long time ago there was some kind of problem with this machine, for some reason it doesn't download anything fast anymore like it used to. Maybe it's a hardware problem? Someone else looked at it because it wasn't able to get online, but since they fixed it, it downloads everything slowly.

 

Theres nothing inside that folder, that you wanted to check, it says file not found.

 

I don't think i'll run minitoolbox, when i looked at the logs it shows my ip info, not a good idea to post it here where other people can see it.

 

 

Thanks by the way for ridding the machine of the svchost.exe virus.


Edited by Outlaw Paxton, 21 April 2014 - 01:48 AM.


#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:28 AM

Posted 21 April 2014 - 05:07 PM

Hello,

 

You can send me the Minitoolbox log file via PM.

And what about the other suggestions? Did you try them all?

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users