Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with several viruses - can't connect to internet


  • This topic is locked This topic is locked
10 replies to this topic

#1 spbb05

spbb05

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 04 October 2014 - 12:34 PM

I’m working on my mother in laws laptop and it appears to be severely infected. I was able to access it remotely last week and ran Malwarebytes. I have the log saved if you need to see it. At that time there were constant PC Health Fix popups and redirects.

 

I have the laptop with me now and can’t access the web. The browser redirects to search.net and the error message is “unable to connect to the proxy server”  I also see a file on the desktop called PepperZip.

Thanks in advance for your help and support!

 

(Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16575  BrowserJavaVersion: 10.5.1

Run by Sharon at 11:17:21 on 2014-10-04

#Option MBR scan  is disabled.

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2037.875 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}

SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\system32\SLsvc.exe

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\System32\WLTRYSVC.EXE

C:\Windows\System32\bcmwltry.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\aestsrv.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\DotAds International\MyAdGuardian\Bin\MyAdGuardianMonitor.exe

C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe

C:\Program Files\Google\Update\1.3.24.15\GoogleCrashHandler.exe

C:\Windows\system32\STacSV.exe

C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

c:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Program Files\TeamViewer\Version9\TeamViewer.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\WLTRAY.EXE

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe

C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Windows\PixArt\PAC7302\Monitor.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Real\RealPlayer\Update\realsched.exe

C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe

C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Logitech\Vid HD\Vid.exe

C:\Program Files\YTDownloader\YTDownloader.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\TeamViewer\Version9\tv_w32.exe

C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\score.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uWindow Title = Internet Explorer provided by Dell

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081210

uProxyServer = hxxp=127.0.0.1:14092;https=127.0.0.1:14092

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

uURLSearchHooks: {00f2c0c6-2194-484e-9064-44e57787867b} - <orphaned>

BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll

BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll

BHO: MyAdGuardian Plugin: {D9D6CFA3-2880-47D4-A001-FA4E6308C350} - c:\program files\dotads international\myadguardian\bin\MyAdGuardian32.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [DW7] "c:\program files\the weather channel\the weather channel app\TWCApp.exe"

uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode

uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

uRun: [YTDownloader] "c:\program files\ytdownloader\YTDownloader.exe" /boot

uRun: [genesis_09280033] "c:\users\sharon\appdata\local\genesis_09280033\genesis_09280033.exe" /r

mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"

mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot

mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe

mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide

mRun: [YTDownloader] "c:\program files\ytdownloader\YTDownloader.exe" /boot

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\ssv.dll

IE: {43831889-D47B-4D83-8CAC-67E1BE866056} - {B15EC140-DD48-4C12-B50A-9759786FA01F} - c:\program files\dotads international\myadguardian\bin\MyAdGuardian32.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

LSP: c:\windows\system32\MyOSProtect.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab

TCP: NameServer = 192.168.1.1 68.238.96.12

TCP: Interfaces\{99ABD312-D051-4193-AADA-C8210BBA9488} : DHCPNameServer = 192.168.1.1 68.238.96.12

TCP: Interfaces\{A6350FB5-2983-4ADB-A85B-1C6E2432661E} : DHCPNameServer = 192.168.1.1 68.238.96.12

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs= c:\progra~1\google\google~3\GOEC62~1.DLL

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.124\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-5-4 114048]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-12-9 73728]

R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-29 47640]

R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 95920]

R2 sbmntr;SBMNTR;c:\progra~1\ytdown~1\sbmntr.sys [2014-8-25 50024]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-10 111616]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-9 30192]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-9-28 110296]

.

=============== Created Last 30 ================

.

2014-10-04 15:46:32        908840  ----a-w-                c:\programdata\microsoft\microsoft antimalware\definition updates\{d59f93f7-d2c6-4740-91c6-d299f9d2e047}\gapaengine.dll

2014-10-04 15:43:21        8806800                ----a-w-                c:\programdata\microsoft\microsoft antimalware\definition updates\{3885f355-0e4b-4982-bdfe-d1f0bf15557f}\mpengine.dll

2014-10-04 15:33:18        --------   d-----w-                c:\users\sharon\appdata\local\DotAds International Ltd

2014-09-28 15:07:32        --------   d-----w-                c:\program files\DotAds International

2014-09-28 14:55:59        --------   d-----w-                c:\programdata\SearchModule

2014-09-28 14:39:29        1506200                ----a-w-                c:\users\sharon\appdata\roaming\VQX.exe

2014-09-28 14:38:57        1994136                ----a-w-                c:\users\sharon\appdata\roaming\WMXVA.exe

2014-09-28 14:38:27        --------   d-----w-                c:\program files\HD-Quality-v3

2014-09-28 14:11:45        110296  ----a-w-                c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-09-28 14:09:12        74456    ----a-w-                c:\windows\system32\drivers\mbamchameleon.sys

2014-09-28 14:09:12        51928    ----a-w-                c:\windows\system32\drivers\mwac.sys

2014-09-28 14:09:11        --------   d-----w-                c:\program files\Malwarebytes Anti-Malware

2014-09-28 14:08:05        --------   d-----w-                c:\users\sharon\appdata\roaming\Groovorio

2014-09-28 14:07:36        --------   d-----w-                c:\program files\Groovorio

2014-09-28 13:50:25        --------   d-sh--w-              C:\found.003

2014-09-28 00:57:47        8806800                ----a-w-                c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2014-09-28 00:45:47        --------   d-----w-                c:\users\sharon\appdata\local\com

2014-09-28 00:45:44        19840    ----a-w-                c:\windows\system32\drivers\pcwatch.sys

2014-09-28 00:45:32        304776  ----a-w-                c:\windows\system32\MyOSProtect.dll

2014-09-28 00:44:40        --------   d-----w-                c:\program files\Krab Web

2014-09-28 00:43:26        --------   d-----w-                c:\users\sharon\appdata\local\fastplayer

2014-09-28 00:37:58        --------   d-----w-                c:\program files\FastPlayer

2014-09-28 00:36:57        --------   d-----w-                c:\users\sharon\appdata\roaming\VOPackage

2014-09-28 00:36:51        --------   d-----w-                c:\users\sharon\appdata\local\globalUpdate

2014-09-28 00:36:51        --------   d-----w-                c:\program files\globalUpdate

2014-09-28 00:36:40        --------   d-----w-                c:\program files\videos+Media+Players

2014-09-28 00:36:01        --------   d-----w-                c:\program files\YTDownloader

2014-09-28 00:35:52        --------   d-----w-                c:\program files\common files\ShopperPro

2014-09-28 00:35:29        --------   d-----w-                c:\programdata\ShopperPro

2014-09-28 00:35:18        --------   d-----w-                c:\program files\common files\Goobzo

2014-09-28 00:34:52        --------   d-----w-                c:\program files\ShopperPro

2014-09-28 00:34:31        --------   d-----w-                c:\programdata\PC HealthFix

2014-09-28 00:34:31        --------   d-----w-                c:\program files\PepperZip

2014-09-28 00:34:21        --------   d-----w-                c:\program files\ver4SpeedChecker

2014-09-28 00:34:16        4834816                ----a-w-                c:\windows\score.exe

2014-09-28 00:34:12        --------   d-----w-                c:\users\sharon\appdata\local\ospd_us_163

2014-09-28 00:34:11        --------   d-----w-                c:\program files\ospd_us_163

2014-09-28 00:33:49        --------   d-----w-                c:\program files\XTRM Group

2014-09-28 00:33:48        --------   d-----w-                c:\program files\Itibiti Soft Phone

2014-09-28 00:33:31        --------   d-----w-                c:\users\sharon\appdata\local\Installer

2014-09-28 00:33:29        --------   d-----w-                c:\users\sharon\appdata\local\CrashRpt

2014-09-28 00:33:23        --------   d-----w-                c:\program files\PCTRunner

2014-09-28 00:33:08        --------   d-----w-                c:\users\sharon\appdata\local\Genesis_09280033

2014-09-26 12:00:26        908840  ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{48841d18-6d1d-4880-84ab-765c688768f6}\gapaengine.dll

2014-09-25 21:10:14        2048       ----a-w-                c:\windows\system32\tzres.dll

.

==================== Find3M  ====================

.

2014-09-25 00:55:38        71344    ----a-w-                c:\windows\system32\FlashPlayerCPLApp.cpl

2014-09-25 00:55:38        701104  ----a-w-                c:\windows\system32\FlashPlayerApp.exe

2014-09-22 06:41:56        231568  ------w- c:\windows\system32\MpSigStub.exe

2014-08-23 01:03:46        297984  ----a-w-                c:\windows\system32\gdi32.dll

2014-08-22 23:26:28        2054656                ----a-w-                c:\windows\system32\win32k.sys

2014-08-15 14:42:27        1810432                ----a-w-                c:\windows\system32\jscript9.dll

2014-08-15 14:37:03        1129472                ----a-w-                c:\windows\system32\wininet.dll

2014-08-15 14:36:30        1427968                ----a-w-                c:\windows\system32\inetcpl.cpl

2014-08-15 14:35:47        421376  ----a-w-                c:\windows\system32\vbscript.dll

2014-08-15 14:35:34        142848  ----a-w-                c:\windows\system32\ieUnatt.exe

2014-08-15 14:34:49        11776    ----a-w-                c:\windows\system32\mshta.exe

2014-08-15 14:34:47        2382848                ----a-w-                c:\windows\system32\mshtml.tlb

2014-07-25 07:35:46        875688  ----a-w-                c:\windows\system32\msvcr120_clr0400.dll

2014-07-17 23:05:08        95920    ----a-w-                c:\windows\system32\drivers\NisDrvWFP.sys

2014-07-17 23:05:08        231800  ----a-w-                c:\windows\system32\drivers\MpFilter.sys

.

============= FINISH: 11:18:48.63 ===============

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:04:27 AM

Posted 04 October 2014 - 05:38 PM

Hi spbb05 and Welcome to BleepingComputer !

I am currently looking though your logs and will advice you on what to do in my next reply.

 

Can you also post the MalwareBytes log so I can see what was removed.


Edited by seedy21, 04 October 2014 - 05:39 PM.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#3 spbb05

spbb05
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 04 October 2014 - 06:12 PM

Thank you! I've attached the Malwarebytes file  - 



#4 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:04:27 AM

Posted 04 October 2014 - 06:17 PM

Hi Spbb05

 

Can you post the content's of the log instead?  I can't see the Attachment.

 

Thanks


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#5 spbb05

spbb05
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 04 October 2014 - 07:22 PM

Hi -

 

The file is too long to post  - I compressed it and attached it again - can you by chance see it now?



#6 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:04:27 AM

Posted 05 October 2014 - 11:58 AM

Hello spbb05

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:

  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.

Warning Rootkit Detected


One or more of the identified infections is a rootkit.

This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the rootkit has been identified and can be killed, because ofhow it exploits your system, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this rootkit, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I suggest a reformat of the system, but the decision is entirely up to you. If you would like me to try and fix your machine please follow the step's below:-

Step 1

  • Click on Start -> Control Panel -> Add/Remove Programs
  • Uninstall the following programs :-

    Browser Address Error Redirector
    MySafeProxy for Internet Explorer
    PepperZip 1.0
    WildTangent Games
    YTDownloader
  •  
  • Close the Add/Remove Programs and Control Panel
  • Restart your computer
    Step 2


    Please download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.


    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc.
      If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
      • Select Command Prompt
      • In the command window type in notepad and press Enter.
      • The notepad opens. Under File menu select Open.
      • Select "Computer" and find your flash drive letter and close the notepad.
      • In the command window type e:\frst.exeand press Enter
        Note: Replace letter e with the drive letter of your flash drive.
      • The tool will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press Scan button.
      • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
      Step 3

      Hi -

      The file is too long to post - I compressed it and attached it again - can you by chance see it now?


      I still can not see it. I would like you to copy the log Contents to another Website.

      Please go to Paste Bin

      Copy the log Content's and paste under New Paste. Then click Submit button

      You will be taken to the next page, Please copy the URL and paste it here.

      It should look something like this:- http://pastebin.com/AMs7rbrM



“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#7 spbb05

spbb05
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 07 October 2014 - 06:21 PM

Thank you for your help and sorry for the delay in answering. I won't be able to work on the pc until the weekend. I'll check to see if the disks are available to reload windows. I believe there is a recovery partition on the drive. How would that effect my decision to re-install?

 

Thanks a gain for your help! 



#8 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:04:27 AM

Posted 08 October 2014 - 10:07 AM

Hi Spbb05

Dell Computers/ Laptops are shipped with a recovery partition instead of shipping CD/ DVD's. If you do go down this route, you will need to back up all of your personal data as this will be deleted when you do the restore.

Here is a Link on how it works for a Dell Laptop and how to access the Recovery Partition.

https://neosmart.net/wiki/dell-recovery-partition/#Access_the_recovery_partition_in_Windows_Vista

Please let me know what option you are going to choose if it's restoring the computer to factory settings or me trying to fix the Rootkit.

Thank you.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#9 spbb05

spbb05
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 11 October 2014 - 08:22 AM

I have decided to reformat and re-install.  The laptop had a recovery partition. It also came with disks - Vista Premium SP1 disk and a Driver and Utility disk. Which way is the best way to re-install? I have backed up all the data needed.



#10 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:04:27 AM

Posted 11 October 2014 - 12:07 PM


Hi spbb05

Thank you for getting back to me.
 

Which way is the best way to re-install?


I would go with the Recovery partition as the link I gave you explains how to reset your machine back to factory settings from there.

I would advice after you complete the Factory Reset to Install your Anti-Virus Software and then scanning your backed up file's before adding them on your Internal Drive.

As you are going to be doing a factory reset, I will get this topic closed. Any problem with completing the Factory Reset I would post in the Windows Vista part of the Website:-

http://www.bleepingcomputer.com/forums/f/72/windows-vista/

Good Luck and Safe Surfing !
 


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:27 PM

Posted 11 October 2014 - 01:04 PM

As the issue appears to be resolved, this Topic is closed. Should you need it reopened, please contact a Forum Moderator or member of the Malware Response Team. Include the address of this thread in your request. If you have a new issue, please start a New Topic. This applies only to the original poster. Everyone else please begin a New Topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users