Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Miuref Activity 2, do not know how to remove it


  • Please log in to reply
13 replies to this topic

#1 Jro216

Jro216

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 23 June 2014 - 07:41 PM

Hi,

 

Within the last 24 hours (6/22/14 - 6/23/14) my Symantec Endpoint Protection has logged the following:

 

[SID: 27678] System Infected: Trojan.Miuref Activity 2 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME3\USERS\JOSEPH\APPDATA\LOCAL\GOOGLE\CHROME\APPLICATION\CHROME.EXE

 

I have not noticed any interfering or otherwise malicious activity caused by this file during my normal use of the computer over the past 24 hours.

 

My survey of online advice led me here with a request to help remove this trojan.

 

The DDS log follows:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17126  BrowserJavaVersion: 10.51.2
Run by Joseph at 20:29:38 on 2014-06-23
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.16366.8743 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
C:\Program Files (x86)\Stardock\MyColors\WBVista.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\keyacc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\Program Files (x86)\AlienRespawn\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\Program Files (x86)\AlienRespawn\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\AlienRespawn\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\AlienRespawn\Toaster.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Users\Joseph\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Users\Joseph\AppData\Local\Apps\2.0\32HTGH02.NNV\5HWML72E.NQD\curs..tion_9e9e83ddf3ed3ead_0005.0001_36a9b6290e21932c\CurseClient.exe
C:\Program Files\Alienware\Command Center\AWCCServiceController.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Windows\kass.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\AirPort\APAgent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
Q:\140061.enu\Office14\ONENOTEM.EXE
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher32.exe
C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher64.exe
C:\Program Files\Alienware\Command Center\AlienFusionService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Alienware\Command Center\AlienFusionController.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskhost.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
Q:\140061.enu\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\splwow64.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SmcGui.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ProtectionUtilSurrogate.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joseph\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.alienware.com/
uProxyOverride = <local>;*.local
uURLSearchHooks: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - <orphaned>
mWinlogon: Userinit = userinit.exe
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\IPS\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Google Update] "C:\Users\Joseph\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [AlienwareOn-ScreenDisplay] C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe
mRun: [Integrated Webcam Live! Central] "C:\Program Files (x86)\Integrated Webcam\Live! Central\WebcamInt.exe" /mode2
mRun: [RemoteControl9] "c:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] c:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [KeyAccess] kass.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Razer Naga Driver] C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AirPort Base Station Agent] "C:\Program Files (x86)\AirPort\APAgent.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Creative Cloud] "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
mRunOnce: [Launcher] C:\Program Files (x86)\AlienRespawn\Components\Scheduler\Launcher.exe
StartupFolder: C:\Users\Joseph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
StartupFolder: C:\Users\Joseph\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Joseph\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Joseph\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\STARDO~1.LNK - C:\Program Files (x86)\Stardock\MyColors\SDDelayedLaunch.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Windows\System: UseOEMBackground = dword:1
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
Trusted Zone: dell.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{58626A1E-40CB-491A-9CC1-3FB0FCED7EFA} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{58626A1E-40CB-491A-9CC1-3FB0FCED7EFA}\052756D696562756F584F64756C6 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{58626A1E-40CB-491A-9CC1-3FB0FCED7EFA}\140707C65602E4564777F627B602033363468313 : DHCPNameServer = 10.0.1.1
TCP: Interfaces\{58626A1E-40CB-491A-9CC1-3FB0FCED7EFA}\3416C69616D27657563747 : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{58626A1E-40CB-491A-9CC1-3FB0FCED7EFA}\34F6D666F6274794E6E6 : DHCPNameServer = 172.17.0.1
TCP: Interfaces\{58626A1E-40CB-491A-9CC1-3FB0FCED7EFA}\64F657270205F696E6473702358656271647F6E6 : DHCPNameServer = 4.2.2.1
TCP: Interfaces\{58626A1E-40CB-491A-9CC1-3FB0FCED7EFA}\84F4D454D264734493D253 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{58626A1E-40CB-491A-9CC1-3FB0FCED7EFA}\B42716373796D69627160275F6F64637D27657563747 : DHCPNameServer = 66.152.117.198 68.70.58.5 192.168.33.1
TCP: Interfaces\{AEA08A2E-7C9B-4054-A7C3-DA280FA96C05} : DHCPNameServer = 75.75.76.76 75.75.75.75
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Notify: SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll
AppInit_DLLs= KATRACK.DLL
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
x64-Run: [Command Center Controllers] "C:\Program Files\Alienware\Command Center\AWCCStartupOrchestrator.exe"
x64-Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: WB - C:\Program Files (x86)\Stardock\MyColors\fast64.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Joseph\AppData\Roaming\Mozilla\Firefox\Profiles\x33goyau.default\
FF - prefs.js: browser.search.selectedEngine - uTorrentControl_v2 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3220468&octid=CT3220468&CUI=UN65171614350726397&UM=4&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&octid=CT3220468&CUI=UN65171614350726397&UM=4&SearchSource=2&q=
FF - component: C:\Users\Joseph\AppData\Roaming\Mozilla\Firefox\Profiles\x33goyau.default\extensions\zoteroWinWordIntegration@zotero.org\components\zoteroWinWordIntegration.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll
FF - plugin: C:\Program Files (x86)\Common Files\Wolfram Research\Browser\8.0.4.2615434\npmathplugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\Joseph\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Users\Joseph\AppData\Roaming\Mozilla\Firefox\Profiles\x33goyau.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}\plugins\np-mswmp.dll
FF - plugin: C:\Users\Joseph\AppData\Roaming\Mozilla\Firefox\Profiles\x33goyau.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}\plugins\npFirefoxPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll
FF - ExtSQL: !HIDDEN! 2011-04-23 19:02; smartwebprinting@hp.com; C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;C:\Windows\System32\drivers\EMSC.sys [2009-6-26 16752]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-3-2 55856]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdcfltn.sys [2011-3-2 21616]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\SymDS64.sys [2012-8-2 451192]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\SymEFA64.sys [2012-8-2 932472]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20140612.012\BHDrvx64.sys [2014-6-18 1530160]
R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20140620.001\IDSviA64.sys [2014-6-21 525016]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\Ironx64.sys [2012-8-2 171128]
R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64\symnets.sys [2012-8-2 386168]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-3-2 89600]
R2 AlienFusionService;Alienware Fusion Service;C:\Program Files\Alienware\Command Center\AlienFusionService.exe [2010-11-10 15296]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-2 13336]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-6-28 14624]
R2 KeyAccess;KeyAccess;C:\Windows\keyacc32.exe [2010-10-20 1261568]
R2 RosettaStoneDaemon;RosettaStoneDaemon;C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2010-5-17 1615176]
R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-8-2 137208]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\AlienRespawn\SftService.exe [2011-3-2 705856]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-6-28 382312]
R2 TabletServicePen;TabletServicePen;C:\Windows\System32\Pen_Tablet.exe [2014-2-3 1909032]
R3 Acceler;Accelerometer Service;C:\Windows\System32\drivers\Accelern.sys [2010-12-17 27760]
R3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2010-12-17 344616]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2011-3-2 175168]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-6-12 142128]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-12-17 76912]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-12-17 80384]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-12-17 180736]
R3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\Windows\System32\drivers\nvstusb.sys [2012-7-28 445288]
R3 RzSynapse;Razer Driver;C:\Windows\System32\drivers\RzSynapse.sys [2011-3-31 126464]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/03/01 22:45:33;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-9-28 254448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-9-4 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-6-12 111616]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-7-19 340240]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-9-4 1116656]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2010-12-17 326760]
S3 SyDvCtrl;SyDvCtrl;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys [2012-8-2 29664]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-1 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-10 1255736]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\CVH.EXE="C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2014-06-19 19:45:47 -------- d-----r- C:\Users\Joseph\Creative Cloud Files
2014-06-12 15:48:56 -------- d-----w- C:\Users\Joseph\AppData\Roaming\PDAppFlex
2014-06-12 15:48:49 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2014-06-12 15:29:37 -------- d-----w- C:\ProgramData\Package Cache
2014-06-12 14:56:28 -------- d-----w- C:\Users\Joseph\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2014-06-12 14:56:14 -------- d-----w- C:\Program Files (x86)\Adobe Download Assistant
2014-06-12 14:56:03 -------- d-----w- C:\Users\Joseph\AppData\Local\Adobe
2014-06-08 13:58:19 -------- d-----w- C:\Users\Joseph\AppData\Local\Apple
2014-06-03 00:35:43 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2014-06-03 00:35:41 588728 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2014-06-03 00:35:41 43960 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2014-06-03 00:35:41 157352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2014-06-03 00:35:41 129976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe
2014-05-29 16:12:44 -------- d-----w- C:\Program Files (x86)\World of Warcraft
2014-05-28 18:58:51 -------- d-----w- C:\Users\Joseph\Unknown Artist
2014-05-28 18:56:38 -------- d-----w- C:\Users\Joseph\AppData\Local\Sonic_Solutions
.
==================== Find3M  ====================
.
2014-06-19 19:45:22 119296 ----a-w- C:\Windows\SysWow64\zlib.dll
2014-06-08 09:13:05 506368 ----a-w- C:\Windows\System32\aepdu.dll
2014-06-08 09:08:04 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-05-30 10:02:37 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-30 10:02:09 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-05-30 09:39:43 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-05-30 09:39:23 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-05-30 09:38:29 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-05-30 09:21:23 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-05-30 09:21:05 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-05-30 09:20:36 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-05-30 09:11:24 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-05-30 09:08:22 5782528 ----a-w- C:\Windows\System32\jscript9.dll
2014-05-30 09:02:39 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-30 08:55:36 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-05-30 08:44:28 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-05-30 08:43:06 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-05-30 08:42:16 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-05-30 08:28:33 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-05-30 08:27:56 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-05-30 08:24:19 1249280 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-05-30 08:23:22 2040832 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-05-30 08:10:46 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-05-30 07:56:56 2266112 ----a-w- C:\Windows\System32\wininet.dll
2014-05-30 07:56:50 4244992 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-05-30 07:50:09 1068032 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-05-30 07:49:38 1964544 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-05-30 07:21:10 1790976 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-05-14 16:15:19 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-14 16:15:19 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-25 02:34:59 801280 ----a-w- C:\Windows\System32\usp10.dll
2014-04-25 02:06:17 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-04-12 00:05:24 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2014-04-05 02:47:20 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2014-04-05 02:47:09 288192 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2014-03-26 14:44:48 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2014-03-26 14:44:48 1882112 ----a-w- C:\Windows\System32\msxml3.dll
2014-03-26 14:41:39 2048 ----a-w- C:\Windows\System32\msxml6r.dll
2014-03-26 14:41:39 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2014-03-26 14:27:50 1389056 ----a-w- C:\Windows\SysWow64\msxml6.dll
2014-03-26 14:27:50 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-03-26 14:25:14 2048 ----a-w- C:\Windows\SysWow64\msxml6r.dll
2014-03-26 14:25:14 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
.
============= FINISH: 20:30:02.49 ===============
 
Thank you for your time.
 
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:02 PM

Posted 27 June 2014 - 03:22 PM

Hi, Jro216. I'm looking at your log now and will reply with instructions soon.



#3 Jro216

Jro216
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 27 June 2014 - 04:32 PM

Hi Rootk, thank you for your help!



#4 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:02 PM

Posted 27 June 2014 - 04:46 PM

Hi. first off, I want you to know that I'm still in training for malware removal and my responses have to be approved before I can post them to you, therefore there will be a little delay between each post.

Please follow these steps:

1.- Please download Malwarebytes Anti-Malware FREE Version from here: https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

  • Save it to your Desktop.
    MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click to execute the installation. Accept the terms, and allow MBAM to install to the default location in your Program Files.
  • Please update the database by clicking on the Update Now button as shown below.
    Capture1_zps47821576.jpg
  • Following the update, click on the large green Scan Now button to begin the Threat Scan.
    Note: Optionally, you could have simply clicked Fix Now if it is displayed. That will automatically download updates and run a Threat Scan.
    If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
    MBAMThreatScan_zpsc6c6daeb.jpg
    • After viewing the results, please click on the Copy to Clipboard button > OK.
      MBAMScanLog_zps21b494ad.jpg
    • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.

2.- Download Malwarebytes Anti-Rootkit from this link http://www.malwarebytes.org/products/mbar/

  • Unzip the File to a convenient location. (Recommend the Desktop)
  • You may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

  • If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)
  • The following image opens, select Next.

Image2.png

  • The following image opens, select Update

Image3.png

  • When the Update completes, select Next

Image4.png

  • In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

  • If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

MBAntiRKclean.png

  • Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

MBAntiRKclean1.png

  • Select "Yes" to close down the program. If NO infections were found you will see the following image:

Image6.png

  • Select "Exit" to close down.

Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown

Post those two logs in your reply.



#5 Jro216

Jro216
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 27 June 2014 - 05:11 PM

Malwarebytes Anti-malware Scanning History Log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 6/27/2014
Scan Time: 5:49:06 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.06.27.09
Rootkit Database: v2014.06.23.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Joseph
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 334179
Time Elapsed: 5 min, 26 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
-------
 
 
Malwarebytes Anti-Rootkit mbar-log:
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org
 
Database version: v2014.06.27.09
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17126
Joseph :: ALIENWARE [administrator]
 
6/27/2014 6:00:10 PM
mbar-log-2014-06-27 (18-00-10).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 336680
Time elapsed: 4 minute(s), 57 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
----
 
Malwarebytes Anti-Rootkit system-log:
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 11.0.9600.17126
 
Java version: 1.6.0_33
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.292000 GHz
Memory total: 17160810496, free: 12412350464
 
Downloaded database version: v2014.06.27.09
Downloaded database version: v2014.06.23.02
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4C47A0E1
 
Partition information:
 
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920  Numsec = 40960000
    Partition file system is NTFS
    Partition is bootable
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 41041920  Numsec = 459074224
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 256060514304 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-500098192-500118192)...
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-81920-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 
 
-----
 
 
 
 


#6 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:02 PM

Posted 27 June 2014 - 07:03 PM

Follow these steps:

 

1.- I need to know the drive where the Trojan was found. Please do the following:

  • Click Start, type cmd in the Start Search box, right-click cmd.exe in the Programs list, and then click Run as administrator.
  • In the command prompt, type diskpart and press Enter.
  • Type list volume and press Enter.
  • Make note of which drive is listed as volume 3.
  • Type exit and press Enter.
  • Post the drive letter into your next reply.

2.- Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt.

3.- Download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.

4.- Please download RogueKiller and Save to the desktop.

  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.

 



#7 Jro216

Jro216
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 28 June 2014 - 11:24 AM

Hi again,

 

1.  There was no volume 3 listed.  Volume 0 was the DVD drive (D), volume 1 was the recovery partition, and volume 2 was the OS © drive.

 

 

 

2. There is no AdwCleaner[Sn].  There is, however, a AdwCleaner[R0] and a AdwCleaner[S0].

 

AdwCleaner[R0]:

 

# AdwCleaner v3.213 - Report created 27/06/2014 at 23:20:30

# Updated 23/06/2014 by Xplode

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : Joseph - ALIENWARE

# Running from : C:\Users\Joseph\Downloads\AdwCleaner.exe

# Option : Scan

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Found : C:\Program Files (x86)\Conduit

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Found : HKCU\Software\AppDataLow\Software\SmartBar

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

Key Found : HKCU\Software\YahooPartnerToolbar

Key Found : [x64] HKCU\Software\Conduit

Key Found : [x64] HKCU\Software\YahooPartnerToolbar

Key Found : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}

Key Found : HKLM\Software\Conduit

Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\strongvaultapp_rasapi32

Key Found : HKLM\SOFTWARE\Microsoft\Tracing\strongvaultapp_rasmancs

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17126

 

 

-\\ Mozilla Firefox v12.0 (en-US)

 

-\\ Google Chrome v

 

*************************

 

AdwCleaner[R0].txt - [2797 octets] - [27/06/2014 23:20:30]

 

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2857 octets] ##########

 

 

------------

 

 

AdwCleaner[S0]:

 

# AdwCleaner v3.213 - Report created 27/06/2014 at 23:21:32

# Updated 23/06/2014 by Xplode

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : Joseph - ALIENWARE

# Running from : C:\Users\Joseph\Downloads\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\Program Files (x86)\Conduit

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\strongvaultapp_rasapi32

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\strongvaultapp_rasmancs

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar

Key Deleted : HKLM\Software\Conduit

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17126

 

 

-\\ Mozilla Firefox v12.0 (en-US)

 

-\\ Google Chrome v

 

*************************

 

AdwCleaner[R0].txt - [2945 octets] - [27/06/2014 23:20:30]

AdwCleaner[S0].txt - [2834 octets] - [27/06/2014 23:21:32]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2894 octets] ##########

 

 

--------------------

 

 

 

 

 

3.  JRT file:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.1.4 (04.06.2014:1)

OS: Windows 7 Home Premium x64

Ran by Joseph on Fri 06/27/2014 at 23:30:55.13

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

Successfully deleted: [File] "C:\Users\Joseph\appdata\local\google\chrome\user data\default\local storage\http_facebook.conduitapps.com_0.localstorage-journal"

Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npcouponprinter.dll"

Successfully deleted: [File] "C:\Program Files (x86)\mozilla firefox\plugins\npmozcouponprinter.dll"

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\Users\Joseph\AppData\Roaming\strongvault"

Successfully deleted: [Folder] "C:\Users\Joseph\appdata\locallow\conduit"

Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"

Successfully deleted: [Folder] "C:\ai_recyclebin"

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"

 

 

 

~~~ FireFox

 

Successfully deleted: [Folder] C:\Users\Joseph\AppData\Roaming\mozilla\firefox\profiles\x33goyau.default\smartbar

Successfully deleted the following from C:\Users\Joseph\AppData\Roaming\mozilla\firefox\profiles\x33goyau.default\prefs.js

 

user_pref("CT3220468.BT_Stats.enc", "eyJsYXN0X2xvZyI6MTQwMzU2MDkzOCwidXVpZCI6NTY5ODAzMDU1ODk0NTUsInNlcV9pZCI6MSwic3NiIjoxNDAzNTYwOTM4fQ==");

user_pref("CT3220468.embeddedsData", "[{\"appId\":\"129813684258939747\",\"apiPermissions\":{\"crossDomainAjax\":true,\"getMainFrameTitle\":true,\"getMainFrameUrl\":true,\"get

user_pref("CT3220468.search.searchAppId", "129813684258939747");

user_pref("CT3220468.search.searchCount", "0");

user_pref("CT3220468.smartbar.CTID", "CT3220468");

user_pref("CT3220468.smartbar.Uninstall", "0");

user_pref("CT3220468.smartbar.homepage", true);

user_pref("CT3220468.smartbar.toolbarName", "uTorrentControl_v2 ");

user_pref("Smartbar.TBHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&octid=CT3220468&CUI=UN65171614350726397&UM=4&SearchSource=13");

user_pref("Smartbar.TBSearchEngineList", "");

user_pref("Smartbar.TBSearchUrlList", "");

user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");

user_pref("browser.search.defaultenginename", "uTorrentControl_v2 Customized Web Search");

user_pref("browser.search.selectedEngine", "uTorrentControl_v2 Customized Web Search");

user_pref("smartbar.addressBarOwnerCTID", "CT3220468");

user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3220468&octid=CT3220468&CUI=UN65171614350726397&UM=4&SearchSource=13");

user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&octid=CT3220468&CUI=UN65171614350726397&UM=4&SearchSource=2&q=");

user_pref("smartbar.defaultSearchOwnerCTID", "CT3220468");

user_pref("smartbar.homePageOwnerCTID", "CT3220468");

user_pref("smartbar.homepageList", "hxxp://search.conduit.com/?ctid=CT3220468&octid=CT3220468&CUI=UN65171614350726397&UM=4&SearchSource=13");

user_pref("smartbar.machineId", "NWRAPGLPJHHQ2RKJOUKVX7MPLIVUQZ1AKXQCO9K0WGIAYCHDTYOWRWS/X39EANDKCZNCWVEXJDAF2TL/T1CZYA");

user_pref("smartbar.searchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&octid=CT3220468&CUI=UN65171614350726397&UM=4&SearchSource=2&q=");

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 06/28/2014 at  0:24:34.02

End of JRT log

 

------------------------

 

 

 

 

 

 

 

4. RogueKiller log:

 

RogueKiller V9.1.0.0 (x64) [Jun 23 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Joseph [Admin rights]

Mode : Scan -- Date : 06/28/2014  12:03:54

 

¤¤¤ Bad processes : 4 ¤¤¤

[Suspicious.Path] CurseClient.exe -- C:\Users\Joseph\AppData\Local\Apps\2.0\32HTGH02.NNV\5HWML72E.NQD\curs..tion_9e9e83ddf3ed3ead_0005.0001_36a9b6290e21932c\CurseClient.exe[-] -> KILLED [TermProc]

[Suspicious.Path] kass.exe -- C:\Windows\kass.exe[-] -> KILLED [TermProc]

[Suspicious.Path] explorer.exe -- C:\Windows\KATRK64.DLL[-] -> UNLOADED

[Suspicious.Path] (SVC) KeyAccess -- C:\Windows\keyacc32.exe[-] -> STOPPED

 

¤¤¤ Registry Entries : 14 ¤¤¤

[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | KeyAccess : kass.exe  -> FOUND

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\KeyAccess -> FOUND

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KeyAccess -> FOUND

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\KeyAccess -> FOUND

[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-2944470049-1917047082-3218516454-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND

[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-2944470049-1917047082-3218516454-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND

[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-2944470049-1917047082-3218516454-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND

[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-2944470049-1917047082-3218516454-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : KATRK64.DLL  -> FOUND

[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : KATRACK.DLL  -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ HOSTS File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: SAMSUNG SSD PM810 2.5" 2 +++++

--- User ---

[MBR] c8d1127c59c708b53a92b2a5007e921c

[BSP] fa93fe928621ba029c694bf95de2bf99 : HP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB

1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 20000 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 41041920 | Size: 224157 MB

User = LL1 ... OK

User = LL2 ... OK

 

---------------



#8 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:02 PM

Posted 29 June 2014 - 04:27 PM

Was there any external hard drive or thumb drive plugged into the computer when Symantec found the Trojan?

Do the following:

  • Double click on Adwcleaner.exe to run the tool again.
  • Click on Scan
  • Once the scan is done, this time click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the number of the most recent report).


#9 Jro216

Jro216
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 29 June 2014 - 09:25 PM

While a thumb drive had been used around the times of the Trojan activity, I do not believe one was plugged in at the time of the Symantec warning.

 

Adwcleaner logfile following scan/clean:

 

# AdwCleaner v3.214 - Report created 29/06/2014 at 22:19:03
# Updated 29/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Joseph - ALIENWARE
# Running from : C:\Users\Joseph\Downloads\adwcleaner_3.214.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17126
 
 
-\\ Mozilla Firefox v12.0 (en-US)
 
-\\ Google Chrome v
 
*************************
 
AdwCleaner[R0].txt - [2945 octets] - [27/06/2014 23:20:30]
AdwCleaner[R1].txt - [1484 octets] - [29/06/2014 22:17:28]
AdwCleaner[S0].txt - [2974 octets] - [27/06/2014 23:21:32]
AdwCleaner[S1].txt - [1409 octets] - [29/06/2014 22:19:03]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1469 octets] ##########


#10 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:02 PM

Posted 30 June 2014 - 12:12 PM

Please do the following:

Go to Eset web page and run an online scanner from ESET. (You will need to use Internet explorer for this scan).

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Click on Run ESET Online Scanner button.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options below are ticked:
  1. Scan for potentially unwanted applications
  2. Scan for potentially unsafe applications
  3. Enable Anti-Stealth Technology
  • Click Start.
  • Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt and copy and paste the results here in this topic.


#11 Jro216

Jro216
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 30 June 2014 - 03:52 PM

ESET Online Scanner log:

 

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7587
# api_version=3.0.2
# EOSSerial=b12547a1505fba4b9fee698bca4f1b0f
# engine=18956
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-06-30 06:35:16
# local_time=2014-06-30 02:35:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Symantec Endpoint Protection'
# compatibility_mode=3601 16777213 100 90 50968058 60120354 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776638 66 85 29675370 155696766 0 0
# scanned=2402
# found=1
# cleaned=0
# scan_time=18
sh=97BCCD25561F44E9B13F05F6EEF083C9CE9BA529 ft=1 fh=641f1fb3d2e699c4 vn="Win32/Toolbar.Conduit.Y potentially unwanted application" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir"
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7587
# api_version=3.0.2
# EOSSerial=b12547a1505fba4b9fee698bca4f1b0f
# engine=18956
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-06-30 08:11:28
# local_time=2014-06-30 04:11:28 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Symantec Endpoint Protection'
# compatibility_mode=3601 16777213 100 90 50973830 60126126 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776638 66 85 29681142 155702538 0 0
# scanned=435003
# found=4
# cleaned=0
# scan_time=5680
sh=97BCCD25561F44E9B13F05F6EEF083C9CE9BA529 ft=1 fh=641f1fb3d2e699c4 vn="Win32/Toolbar.Conduit.Y potentially unwanted application" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir"
sh=8029B39410BE0AE775F0267CF8AE42F95C34EFAE ft=1 fh=436941db5c9a22d0 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\AlienRespawn\hstart.exe"
sh=07499650CE0095D13054F4D2AC33F75306824D95 ft=1 fh=f5c73b3aafc814e1 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\AlienRespawn\Components\DSUpdate\hstart.exe"
sh=D957B0EC634B5C52AA2B8934223A6248D5152807 ft=1 fh=4c2491a4bea30714 vn="a variant of Win32/InstallCore.A potentially unwanted application" ac=I fn="C:\Program Files (x86)\PDF Creator\message.exe"


#12 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:02 PM

Posted 30 June 2014 - 11:18 PM

Do the following:

Download OTM by OldTimer. Save it to your desktop.

Double click OTM.exe to start the tool.

  • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:files
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir
C:\Program Files (x86)\PDF Creator\message.exe
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.
-

Are you still getting the message about the Trojan?



#13 Jro216

Jro216
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 01 July 2014 - 08:48 AM

OTMoveIt3 results:

 

========== FILES ==========
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir moved successfully.
C:\Program Files (x86)\PDF Creator\message.exe moved successfully.
 
OTM by OldTimer - Version 3.1.21.0 log created on 07012014_094731
 
-----
 
I have not received a message from Symantec about the Trojan in the past 48 hours.


#14 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:02 PM

Posted 03 July 2014 - 01:48 PM

Sorry for the delay.
 
The computer looks OK, so if you're not having any other problem, then follow these final steps:

Create a System restore point.

Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
Click the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.

Remove ESET Online Scanner:

Click on Start, Settings, Control Panel
Double click on Add/Remove Programs
Find: Eset Online Scanner in the list of installed programs and click on Change/Remove to uninstall it.

Run Delfix

This program will remove the tools used and its logs. If anything remains, you can delete manually delete them.
Please download Delfix and save it to your desktop.
Double click on Delfix.exe to run the tool and click on the Run button.

Run TFC to clear out temp files. It should be located on your desktop, if it is not there, follow these steps:

Please download TFC.exe - Temp File Cleaner by OldTimer:
Alternate link: http://www.itxassociates.com/OT-Tools/TFC.exe
 

  • Save it to your Desktop.
  • Close any open windows, save your work.
  • Double click the TFC icon to run the program. ] (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • TFC will close all open programs itself in order to run
  • Click the Start button to begin the process
  • Allow TFC to run uninterrupted
  • The program should not take long to finish its job.
  • Once it's finished, click OK to reboot.

Finally, to help protect your computer in the future I recommend you to read this article: So how did I get infected in the first place?. I also recommend running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Be sure to post back if you have any more problems.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users