Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Removal Help


  • This topic is locked This topic is locked
19 replies to this topic

#1 Ruok2bu

Ruok2bu

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 14 June 2014 - 11:45 PM

My dad is constantly reinfecting his computer every month or so and this latest infection is the worst ive ever seen.  The antivirus software has been disabled (Eset NOD32) and reinstallation fails with an error.  His user account does not have admin privileges either.

 

I have a ton of realtime security applications installed that i hoped would protect it but they didn't (Eset NOD32, Microsoft EMET, Webroot SecureAnywhere, Trend Micro Browser Guard, Trend Micro RU Botted, Spybot Search & Destroy Resident, Peerblock with subscription lists, K9 Web Protection, MVPS hosts file and dns set to use OpenDNS).  The proxy server is legit as K9 Web Protection is installed too.

 

I ran hijack this and while i can't understand the log, i did notice some host file redirections for Google.

 

P.S. I was going to reinstall the computer from a backup image, but i would like to know what the infection is before i do so because the malware might hang around.

 

P.S.S. Thanks in advance

 

Find below the DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17126  BrowserJavaVersion: 10.51.2
Run by Adm1n at 0:36:34 on 2014-06-15
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2047.917 [GMT -4:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {66A6FE14-08CB-F415-3742-517201416109}
AV: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Webroot SecureAnywhere *Enabled/Updated* {DDC71FF0-2EF1-FB9B-0DF2-6A007AC62BB4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
FW: Look 'n' Stop Firewall *Disabled* {E26CE775-4C82-5170-9BEE-E4E4E35B4E07}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Look n Stop\LnsSvcVista.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\N0D\egui.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\FireDaemon\FireDaemon.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Bitvise WinSSHD\WinSSHD.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Bitvise WinSSHD\sshdctrl.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Look n Stop\looknstop.exe
C:\Program Files\NetWorx\networx.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\SpeedFan\speedfan.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files (x86)\Trend Micro\Browser Guard\BGUI.exe
C:\Program Files (x86)\EMET 4.1\EMET_Agent.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\RealVNC\VNC Server\vncservice.exe
C:\Program Files\RealVNC\VNC Server\vncserver.exe
C:\Program Files\RealVNC\VNC Server\vncserverui.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files (x86)\Bitvise WinSSHD\SftpServer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uProxyServer = localhost:21320
mWinlogon: Userinit = userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: {9F3209E2-334B-41E9-B09C-703F398742E7} - <orphaned>
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Webroot Filtering Extension: {C9C42510-9B41-42c1-9DCD-7282A2D07C61} - C:\Program Files\Webroot\WRData\PKG\Vistax86\wrflt.dll
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: TMIEGBHO Class: {F1AD4A42-BA52-47BC-89DF-3F68F24C017F} - C:\Program Files (x86)\Trend Micro\Browser Guard\TMAMS.dll
TB: TMBGBAR TOOLBAR: {C8137A8D-415D-450C-A1B1-D0C519D45296} - C:\Program Files (x86)\Trend Micro\Browser Guard\tmieg.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [Steam] "P:\Steam\steam.exe" -silent
mRun: [WinSSHD Activation State Checker] "C:\Program Files (x86)\Bitvise WinSSHD\WinsshdActStateCheck.exe"
mRun: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [EMET 4.1 Agent] "C:\Program Files (x86)\EMET 4.1\EMET_agent.exe"
mRun: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
mRun: [Trend Micro Browser Guard] "C:\Program Files (x86)\Trend Micro\Browser Guard\BGUI.EXE"
StartupFolder: C:\Users\Idiot\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\speedfan.lnk - C:\Program Files (x86)\SpeedFan\speedfan.exe
uPolicies-Explorer: DisablePersonalDirChange = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:4
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office15\EXCEL.EXE/3000
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{19D5A30F-0311-4D9A-B8DD-5CD91A93852E} : DHCPNameServer = 208.67.222.222 208.67.220.220
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
IFEO: taskmgr.exe - "C:\PROGRAM FILES\SYSTEM INTERNALS\PROCEXP.EXE"
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: {9F3209E2-334B-41E9-B09C-703F398742E7} - <orphaned>
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Webroot Filtering Extension: {C9C42510-9B41-42c1-9DCD-7282A2D07C61} - C:\Program Files\Webroot\WRData\PKG\Vistax64\wrflt.dll
x64-BHO: TMIEGBHO Class: {F1AD4A42-BA52-47BC-89DF-3F68F24C017F} - C:\Program Files (x86)\Trend Micro\Browser Guard\X64\TMAMS64.dll
x64-TB: TMBGBAR TOOLBAR: {C8137A8D-415D-450C-A1B1-D0C519D45296} - C:\Program Files (x86)\Trend Micro\Browser Guard\X64\tmieg64.dll
x64-Run: [Look 'n' Stop] "C:\Program Files\Look n Stop\looknstop.exe" -auto
x64-Run: [NetWorx] "C:\Program Files\NetWorx\networx.exe" /auto
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
x64-Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-Run: [egui] "C:\Program Files\N0D\egui.exe" /hide /waitservice
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: taskmgr.exe - "C:\PROGRAM FILES\SYSTEM INTERNALS\PROCEXP.EXE"
Hosts: 0.0.0.0 fr.a2dfp.net
Hosts: 0.0.0.0 m.fr.a2dfp.net
Hosts: 0.0.0.0 ad.a8.net
Hosts: 0.0.0.0 asy.a8ww.net
Hosts: 0.0.0.0 abcstats.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);C:\Windows\System32\drivers\tdrpm251.sys [2012-3-16 1455648]
R0 WRkrn;WRkrn;C:\Windows\System32\drivers\WRkrn.sys [2013-12-8 114176]
R1 bckd;bckd;C:\Windows\System32\drivers\bckd.sys [2012-2-13 108304]
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2013-2-20 213416]
R1 lnsfw1;lnsfw1;C:\Windows\System32\drivers\lnsfw1.sys [2012-3-16 82784]
R1 networx;networx;C:\Windows\System32\drivers\networx.sys [2013-12-9 59384]
R2 bckwfs;Blue Coat K9 Web Protection;C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [2012-2-13 2122000]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2013-1-10 139768]
R2 lnssvcVista;Look 'n' Stop Service;C:\Program Files\Look n Stop\LnsSvcVista.exe -r --> C:\Program Files\Look n Stop\LnsSvcVista.exe -r [?]
R2 peerblock;FireDaemon Service: Peerblock;C:\Program Files\FireDaemon\FireDaemon.exe -s --> C:\Program Files\FireDaemon\FireDaemon.exe -s [?]
R2 RUBotSrv;Trend Micro RUBotted Service;C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2012-3-16 443416]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-12-8 3921880]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-12-8 1042272]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-12-8 171416]
R2 vncserver;VNC Server;C:\Program Files\RealVNC\VNC Server\vncservice.exe [2014-6-3 638272]
R2 WRSVC;WRSVC;C:\Program Files\Webroot\WRSA.exe [2013-12-8 763512]
R3 lnsfw;Look 'n' Stop Driver;C:\Windows\System32\drivers\lnsfw.sys [2012-3-16 66400]
R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2012-3-16 22600]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 ekrn;ESET Service;C:\Program Files\N0D\x86\ekrn.exe [2013-3-21 1341664]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-6-11 111616]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2014-1-23 178760]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-10-9 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-2-11 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-10-9 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-3-16 1255736]
.
=============== Created Last 30 ================
.
2014-06-13 22:04:05    75888    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{283BBF7C-2F6D-45A5-8974-941DF311F894}\offreg.dll
2014-06-13 20:09:41    10702536    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{283BBF7C-2F6D-45A5-8974-941DF311F894}\mpengine.dll
2014-06-13 00:49:19    175528    ----a-w-    C:\Windows\System32\drivers\tmcomm.sys
2014-06-13 00:46:51    --------    d-sh--w-    C:\Users\Idiot\AppData\Local\EmieUserList
2014-06-13 00:46:51    --------    d-sh--w-    C:\Users\Idiot\AppData\Local\EmieSiteList
2014-06-13 00:43:41    --------    d-----w-    C:\Program Files (x86)\ESET
2014-06-12 19:59:20    37704    ----a-w-    C:\Windows\System32\VNCpm.dll
2014-06-12 19:58:55    --------    d-----w-    C:\ProgramData\RealVNC-Service
2014-06-12 19:58:39    --------    d-----w-    C:\Program Files\RealVNC
2014-06-12 19:58:30    --------    d-----w-    C:\Users\Idiot\AppData\Local\RealVNC
2014-06-11 14:09:02    801280    ----a-w-    C:\Windows\System32\usp10.dll
2014-06-11 14:09:02    626688    ----a-w-    C:\Windows\SysWow64\usp10.dll
2014-06-11 14:09:01    288192    ----a-w-    C:\Windows\System32\drivers\FWPKCLNT.SYS
2014-06-11 14:09:01    1903552    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2014-06-10 20:53:10    163504    ----a-w-    C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-06-03 14:51:02    4608    ----a-w-    C:\Windows\System32\drivers\vncmirror.sys
2014-06-03 14:51:02    26112    ----a-w-    C:\Windows\System32\vncmirror.dll
.
==================== Find3M  ====================
.
2014-06-14 11:16:18    153256    ----a-w-    C:\Windows\SysWow64\WRusr.dll
2014-06-14 11:16:18    114176    ----a-w-    C:\Windows\System32\drivers\WRkrn.sys
2014-06-14 11:16:18    103816    ----a-w-    C:\Windows\System32\WRusr.dll
2014-06-08 09:13:05    506368    ----a-w-    C:\Windows\System32\aepdu.dll
2014-06-08 09:08:04    424448    ----a-w-    C:\Windows\System32\aeinv.dll
2014-05-30 10:02:37    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-05-30 10:02:09    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-05-30 09:39:43    548352    ----a-w-    C:\Windows\System32\vbscript.dll
2014-05-30 09:39:23    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-05-30 09:38:29    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-05-30 09:21:23    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-05-30 09:21:05    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-05-30 09:20:36    752640    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-05-30 09:11:24    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-05-30 09:08:22    5782528    ----a-w-    C:\Windows\System32\jscript9.dll
2014-05-30 09:02:39    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-05-30 08:55:36    38400    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-05-30 08:44:28    455168    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-05-30 08:43:06    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-05-30 08:42:16    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-05-30 08:28:33    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-05-30 08:27:56    592896    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-05-30 08:24:19    1249280    ----a-w-    C:\Windows\System32\mshtmlmedia.dll
2014-05-30 08:23:22    2040832    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-05-30 08:10:46    32256    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-05-30 07:56:56    2266112    ----a-w-    C:\Windows\System32\wininet.dll
2014-05-30 07:56:50    4244992    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-05-30 07:50:09    1068032    ----a-w-    C:\Windows\SysWow64\mshtmlmedia.dll
2014-05-30 07:49:38    1964544    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-05-30 07:21:10    1790976    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-05-08 09:32:11    3178496    ----a-w-    C:\Windows\System32\rdpcorets.dll
2014-05-08 09:32:11    16384    ----a-w-    C:\Windows\System32\RdpGroupPolicyExtension.dll
2014-04-12 02:22:05    95680    ----a-w-    C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05    155072    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38    29184    ----a-w-    C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38    136192    ----a-w-    C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37    28160    ----a-w-    C:\Windows\System32\secur32.dll
2014-04-12 02:19:32    1460736    ----a-w-    C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05    31232    ----a-w-    C:\Windows\System32\lsass.exe
2014-04-12 02:12:06    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2014-03-31 13:35:08    270496    ------w-    C:\Windows\System32\MpSigStub.exe
2014-03-26 14:44:48    2002432    ----a-w-    C:\Windows\System32\msxml6.dll
2014-03-26 14:44:48    1882112    ----a-w-    C:\Windows\System32\msxml3.dll
2014-03-26 14:41:39    2048    ----a-w-    C:\Windows\System32\msxml6r.dll
2014-03-26 14:41:39    2048    ----a-w-    C:\Windows\System32\msxml3r.dll
2014-03-26 14:27:50    1389056    ----a-w-    C:\Windows\SysWow64\msxml6.dll
2014-03-26 14:27:50    1237504    ----a-w-    C:\Windows\SysWow64\msxml3.dll
2014-03-26 14:25:14    2048    ----a-w-    C:\Windows\SysWow64\msxml6r.dll
2014-03-26 14:25:14    2048    ----a-w-    C:\Windows\SysWow64\msxml3r.dll
2011-12-08 04:26:30    54272    ----a-w-    C:\Program Files (x86)\BlueScreenView.exe
2011-08-02 15:53:38    110592    ----a-w-    C:\Program Files (x86)\MyEventViewer.exe
2009-12-12 18:02:08    354304    ----a-w-    C:\Program Files (x86)\Ultimate Windows Tweaker.exe
.
============= FINISH:  0:36:56.60 ===============
 

Attached Files


Edited by Ruok2bu, 14 June 2014 - 11:49 PM.


BC AdBot (Login to Remove)

 


m

#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:08 PM

Posted 16 June 2014 - 12:29 PM

Good evening,. :)

If I was you I would just use Darik's Boot and Nuke to wipe the hard drive and then reimage and you should be good to go - it's bad enough trying to remove malware without trying to identify what it might be and the time spent doing that is wasted if you can just start afresh.


So long, and thanks for all the fish.

 

 


#3 Ruok2bu

Ruok2bu
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2014 - 01:43 PM

Thanks for the quick reply.

 

I would do that, except there are a lot of files that can't be deleted and im afraid that if i just save them to another hard drive, the infection will spread.



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:08 PM

Posted 16 June 2014 - 01:54 PM

What sort of files?


So long, and thanks for all the fish.

 

 


#5 Ruok2bu

Ruok2bu
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2014 - 02:10 PM

mp3, wma, m4a and a thunderbird email profile.



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:08 PM

Posted 16 June 2014 - 02:34 PM

You should be able to scan the files before you transfer them across to your PC using the resident anti-virus scanner. If you want a more in-depth look, and there aren't too many files, try Virus Total which utilises multiple scanners.

I don't see that a Thunderbird profile holds any risks, although backed-up emails may have dodgy attachments, but then you wouldn't open any that you weren't 100% sure of anyway.

 

 


So long, and thanks for all the fish.

 

 


#7 Ruok2bu

Ruok2bu
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2014 - 03:40 PM

What type of destroy method should i use with Dariks?  Will the default suffice?



#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:08 PM

Posted 16 June 2014 - 04:52 PM

That would be my choice. I should say that it's probably not necessary to use this as the infection is unlikely to survive a reimaging, but if in any doubt better safe than sorry.


So long, and thanks for all the fish.

 

 


#9 Ruok2bu

Ruok2bu
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 16 June 2014 - 04:53 PM

Ok.

 

Many thanks for replying quickly ;)


Edited by Ruok2bu, 16 June 2014 - 05:41 PM.


#10 Ruok2bu

Ruok2bu
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 17 June 2014 - 12:41 PM

I'm having some problems again.

 

Both drives got wiped and i reinstalled windows but now Windows does everything extremely slowly.  I'm not sure if its because the drives got damaged from the wipe or some malware somehow leaked back in.  On top of it, now my computer is also loading everything really slowly.  My computer hasnt shown any other symptoms yet though (broken av scanner, host file redirections, etc.)


Edited by Ruok2bu, 17 June 2014 - 12:44 PM.


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:08 PM

Posted 17 June 2014 - 12:58 PM

Good evening. :)

All the wipe does is to overwrite any data on the drive with ones and zeros as opposed to anything physical that could actually harm the drive, so I don't see that any damage could come of that process. As to malware "leaking" back in, it is highly unlikely that anything could survive the boot and nuke process.

 

Did you install any software other than Windows. Did you transfer any files over?


So long, and thanks for all the fish.

 

 


#12 Ruok2bu

Ruok2bu
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 17 June 2014 - 01:02 PM

I originally installed Ubuntu (because i got tired of constantly reinstalling windows) but it was a pain to configure so i just caved and reinstalled (formatted the drive first) windows 7 again.

 

The only files i transferred to this computer were those i backed up and i scanned them for viruses with Eset online scanner, Trend Micro Online Scanner and my local copy of Eset NOD32.



#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:08 PM

Posted 17 June 2014 - 01:22 PM

Did you use the Windows installation disk or an image? There is always the possibility that if you used an image that it was infected or damaged at the time it was made of it has become corrupted at some point between making it and using it.


So long, and thanks for all the fish.

 

 


#14 Ruok2bu

Ruok2bu
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 17 June 2014 - 01:38 PM

It was a brand fresh install from the win 7 dvd.

 

I defragged the drive and its a little bit faster but still pretty slow.

 

The hard drive is really old though (over 4 years); i think the wipe damaged it.


Edited by Ruok2bu, 17 June 2014 - 01:48 PM.


#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:08 PM

Posted 17 June 2014 - 02:10 PM

Go here and download S.M.A.R.T. Monitoring Tools and then install it - make sure you select the 64-bit option if you need to.

Click on the Windows button in the bottom left hand corner of your screen and then under All Programs open the smartmontools folder and click on smartcl (Admin CMD).
In the Command Window that opens copy and paste the following and press <ENTER:

smartctl -a sda >> "%userprofile%\desktop\smartoutput.txt"

Let me have the contents of smartoutput.txt that you should find on the Desktop in your next reply.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users