Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with possible powelik? Outbound Windows\syswow64\dllhost.exe


  • This topic is locked This topic is locked
13 replies to this topic

#1 ddwebgurl

ddwebgurl

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:18 PM

Posted 24 October 2014 - 08:54 AM

Thank you in advance for helping!

 

Windows 7 Professional 64-bit computer, running Norton Security Suite, Malwarebytes, SuperAntiSpyware.

 

We keep getting warnings from Malwarebytes that say: Malicious Website Protection, IP 95.215.1.157:49166, Outbound, C;\Windows\SysWOW64\dllhost.exe

 

We have also gotten warnings about high memory usage by Com Surrogate from Norton.

 

What we have done so far:

 

The computer has been taken offline and scans run by the above mentioned software and cookies were all that was found (they were removed). We have also run ADWCleaner and RogueKiller and removed the items they suggested, but still get the warning about SysWOW64\dllhost.exe every so often while we are offline. Definitely afraid to go back online at this point.

 

Below is the DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17344
Run by Michelle at 9:32:57 on 2014-10-24
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3918.2482 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton Security Suite *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Security Suite *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\N360.exe
C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe
C:\Windows\SysWOW64\NLSSRV32.EXE
C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skdh8821.exe
C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skd8821.exe
C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe
C:\Program Files (x86)\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\N360.exe
C:\Program Files (x86)\Lenovo\PowerMgr\PWMDBSVC.EXE
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\Lenovo\PowerMgr\SCHTASK.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
C:\Program Files (x86)\Lenovo\message center plus\mcplaunch.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe,
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\coieplg.dll
BHO: EWPBrowseObject Class: {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files (x86)\Canon\Easy-WebPrint\EWPBrowseLoader.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\ips\ipsbho.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} -
BHO: Symantec VIP Access Add-On: {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [Intel AppUp(SM) center] "C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe" --domain-id F0399437-FD0C-4A48-B101-F0314A6172E4
mRun: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
mRun: [Power Manager Startup Utility] C:\Program Files (x86)\Lenovo\PowerMgr\DPMHost.exe
mRun: [PDUiP6700DMon] C:\Program Files (x86)\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{70561BA2-622F-448A-A8BD-92AE04329C7D} : DHCPNameServer = 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\coieplg.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Symantec VIP Access Add-On: {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\coieplg.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Skd8821] C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skd8821.exe
x64-Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;C:\Windows\System32\drivers\gfibto.sys [2013-8-30 14456]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1506000.020\symds64.sys [2014-10-15 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1506000.020\symefa64.sys [2014-10-15 1148120]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20141016.001\BHDrvx64.sys [2014-10-21 1587416]
R1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1506000.020\ccsetx64.sys [2014-10-15 162392]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20141021.001\IDSviA64.sys [2014-10-21 633560]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1506000.020\ironx64.sys [2014-10-15 266968]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1506000.020\symnets.sys [2014-10-15 593112]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2014-7-22 172344]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-1-25 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-8 607456]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-6-28 14624]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-1-25 161560]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2013-1-25 58224]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2013-1-25 61296]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-10-21 1871160]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-10-21 968504]
R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\n360.exe [2014-10-15 265040]
R2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;C:\Program Files\Common Files\Nitro PDF\Professional\7.0\NitroPDFDriverService2x64.exe [2012-5-24 216072]
R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2012-11-8 70152]
R2 Sks8821;Skdaemon Service;C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe [2010-5-4 137216]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-1-25 363800]
R2 VIPAppService;VIPAppService;C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2012-4-19 84080]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-9-13 142640]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-10-21 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-10-21 129752]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-10-21 63704]
R3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\Lenovo\PowerMgr\PWMDBSVC.exe [2013-7-2 63816]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-1-25 648808]
R3 TVTI2C;Lenovo SM bus driver;C:\Windows\System32\drivers\tvti2c.sys [2012-2-7 40248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-20 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-10-15 111616]
S3 LSCWinService;LSCWinService;C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [2014-9-3 272776]
S3 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\Lenovo\PowerMgr\PWMEWSVC.exe [2013-7-2 186696]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-7-4 19456]
S3 ssmirrdr;ssmirrdr;C:\Windows\System32\drivers\ssmirrdr.sys [2013-4-30 10112]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-10-16 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-7-4 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-7-4 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-10-24 12:58:45    --------    d-----w-    C:\AdwCleaner
2014-10-24 12:12:22    --------    d-----w-    C:\ProgramData\RogueKiller
2014-10-24 11:48:52    --------    d-----w-    C:\Users\Michelle\AppData\Roaming\SUPERAntiSpyware.com
2014-10-24 11:48:38    --------    d-----w-    C:\ProgramData\SUPERAntiSpyware.com
2014-10-24 11:48:38    --------    d-----w-    C:\Program Files\SUPERAntiSpyware
2014-10-21 17:22:05    --------    d-----w-    C:\Users\Michelle\AppData\Local\{35383B4E-D913-4D51-B4E1-17CE531AF818}
2014-10-21 14:28:27    129752    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-10-21 14:28:19    93400    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-10-21 14:28:19    63704    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-10-21 14:28:19    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-10-21 14:28:19    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-20 00:00:41    --------    d-----w-    C:\Users\Michelle\AppData\Local\{29EF6437-57E9-418F-B28F-4168DFE0533A}
2014-10-19 17:46:40    --------    d-----w-    C:\Users\Michelle\AppData\Local\Tvsukernel
2014-10-19 05:32:39    --------    d-----w-    C:\Windows\System32\LSC
2014-10-17 16:59:46    --------    d-----w-    C:\Users\Michelle\AppData\Local\{FECE99FB-E0AC-43C3-A496-1DFEAF0CDFAD}
2014-10-16 21:41:50    5703168    ----a-w-    C:\Windows\SysWow64\mstscax.dll
2014-10-16 21:41:49    6584320    ----a-w-    C:\Windows\System32\mstscax.dll
2014-10-16 11:22:53    842240    ----a-w-    C:\Windows\System32\blackbox.dll
2014-10-15 20:51:19    81560    ----a-w-    C:\Windows\SysWow64\mscories.dll
2014-10-15 20:50:56    3241472    ----a-w-    C:\Windows\System32\msi.dll
2014-10-15 20:45:20    593112    ----a-w-    C:\Windows\System32\drivers\N360x64\1506000.020\symnets.sys
2014-10-15 20:45:20    23568    ----a-r-    C:\Windows\System32\drivers\N360x64\1506000.020\symelam.sys
2014-10-15 20:45:19    876248    ----a-w-    C:\Windows\System32\drivers\N360x64\1506000.020\srtsp64.sys
2014-10-15 20:45:19    493656    ----a-r-    C:\Windows\System32\drivers\N360x64\1506000.020\symds64.sys
2014-10-15 20:45:19    37592    ----a-w-    C:\Windows\System32\drivers\N360x64\1506000.020\srtspx64.sys
2014-10-15 20:45:19    1148120    ----a-w-    C:\Windows\System32\drivers\N360x64\1506000.020\symefa64.sys
2014-10-15 20:45:18    266968    ----a-w-    C:\Windows\System32\drivers\N360x64\1506000.020\ironx64.sys
2014-10-15 20:45:18    162392    ----a-r-    C:\Windows\System32\drivers\N360x64\1506000.020\ccsetx64.sys
2014-10-15 20:43:57    --------    d-----w-    C:\Windows\System32\drivers\N360x64\1506000.020
2014-10-15 20:32:39    --------    d-----w-    C:\Users\Michelle\AppData\Local\{33811F26-9A44-4955-8770-BA03EDA387F2}
2014-10-13 16:52:48    --------    d-----w-    C:\Users\Michelle\AppData\Local\{64126857-7E1B-43FD-B530-AD066094AD51}
2014-10-09 10:29:39    --------    d-----w-    C:\Users\Michelle\AppData\Local\{B67D0A7F-7DD3-47D4-9A85-B1A1D1F555F6}
2014-10-08 10:36:20    --------    d-----w-    C:\Users\Michelle\AppData\Local\{8B7086D4-A989-4413-8326-7B46B55ED2F7}
2014-10-07 11:23:26    --------    d-----w-    C:\Users\Michelle\AppData\Local\{82A100D0-180A-47DF-A8A1-BDC183EA16F7}
2014-10-06 22:12:46    --------    d-----w-    C:\Users\Michelle\AppData\Local\{6CE20C8F-6021-4A6D-A334-A25C81A28FD7}
2014-10-05 23:45:03    --------    d-----w-    C:\Users\Michelle\AppData\Local\{F7C54147-13F5-45C7-AC0D-688B89FCAF08}
2014-10-04 23:57:13    --------    d-----w-    C:\Users\Michelle\AppData\Local\{BB2B28F5-7E99-4E5C-8EE7-94FEC6ECDD2F}
2014-10-04 11:56:08    --------    d-----w-    C:\Users\Michelle\AppData\Local\{AD834448-3AF4-49FA-9BDA-F42B2F11E931}
2014-10-02 11:00:52    --------    d-----w-    C:\Users\Michelle\AppData\Local\{8D603092-AB97-47E4-8582-3F91C82A5A79}
2014-10-01 19:54:31    --------    d-----w-    C:\Users\Michelle\AppData\Local\{4758B625-C52B-4BA5-A500-56E56F112779}
2014-10-01 12:00:35    519680    ----a-w-    C:\Windows\SysWow64\qdvd.dll
2014-10-01 12:00:35    371712    ----a-w-    C:\Windows\System32\qdvd.dll
2014-10-01 00:59:32    --------    d-----w-    C:\Users\Michelle\AppData\Local\{F3B5FEAA-E87D-4059-B9DB-7FA4AC2464AE}
2014-09-30 11:17:05    --------    d-----w-    C:\Users\Michelle\AppData\Local\{8C90D188-C511-4877-B1CC-1337AF29FA00}
2014-09-29 11:29:54    --------    d-----w-    C:\Users\Michelle\AppData\Local\{FDB551CE-60C8-4FF6-B3E4-C805458F853B}
2014-09-25 22:50:29    --------    d-----w-    C:\Users\Michelle\AppData\Local\{8CE6EAE7-324B-47CC-93ED-E1667E2B4BAC}
2014-09-25 09:47:03    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2014-09-25 09:47:03    2048    ----a-w-    C:\Windows\System32\tzres.dll
2014-09-25 09:41:14    --------    d-----w-    C:\Users\Michelle\AppData\Local\{CC8EE6C2-6C66-4517-AC8E-E0B84EF3BEB7}
.
==================== Find3M  ====================
.
2014-10-10 02:05:59    276480    ----a-w-    C:\Windows\System32\generaltel.dll
2014-10-10 02:05:42    507392    ----a-w-    C:\Windows\System32\aepdu.dll
2014-10-10 02:00:38    424448    ----a-w-    C:\Windows\System32\aeinv.dll
2014-09-29 00:58:48    3198976    ----a-w-    C:\Windows\System32\win32k.sys
2014-09-25 22:32:04    2017280    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-09-25 22:31:02    2108416    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-09-19 01:56:02    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-09-19 01:55:49    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-09-19 01:40:43    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-09-19 01:40:03    547328    ----a-w-    C:\Windows\System32\vbscript.dll
2014-09-19 01:39:58    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-09-19 01:38:27    83968    ----a-w-    C:\Windows\System32\MshtmlDac.dll
2014-09-19 01:36:57    5829632    ----a-w-    C:\Windows\System32\jscript9.dll
2014-09-19 01:26:00    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-09-19 01:25:49    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-09-19 01:25:12    4201472    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-09-19 01:25:09    758272    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-09-19 01:18:02    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-09-19 01:14:57    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-09-19 01:06:47    72704    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-09-19 01:02:07    454656    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-09-19 01:01:47    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-09-19 01:01:03    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-09-19 00:59:40    61952    ----a-w-    C:\Windows\SysWow64\MshtmlDac.dll
2014-09-19 00:50:16    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-09-19 00:49:31    597504    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-09-19 00:40:12    1249280    ----a-w-    C:\Windows\System32\mshtmlmedia.dll
2014-09-19 00:36:23    60416    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-09-19 00:33:18    2309632    ----a-w-    C:\Windows\System32\wininet.dll
2014-09-19 00:18:55    1068032    ----a-w-    C:\Windows\SysWow64\mshtmlmedia.dll
2014-09-18 23:59:11    1810944    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-09-18 01:32:52    2363904    ----a-w-    C:\Windows\SysWow64\msi.dll
2014-09-13 01:58:18    77312    ----a-w-    C:\Windows\System32\packager.dll
2014-09-13 01:40:05    67072    ----a-w-    C:\Windows\SysWow64\packager.dll
2014-09-04 05:23:20    424448    ----a-w-    C:\Windows\System32\rastls.dll
2014-09-04 05:04:15    372736    ----a-w-    C:\Windows\SysWow64\rastls.dll
2014-08-29 02:07:13    3179520    ----a-w-    C:\Windows\System32\rdpcorets.dll
2014-08-23 02:07:00    404480    ----a-w-    C:\Windows\System32\gdi32.dll
2014-08-23 01:45:55    311808    ----a-w-    C:\Windows\SysWow64\gdi32.dll
2014-08-19 03:11:28    693176    ----a-w-    C:\Windows\System32\winload.efi
2014-08-19 03:10:10    616352    ----a-w-    C:\Windows\System32\winresume.efi
2014-08-19 03:08:04    503808    ----a-w-    C:\Windows\System32\srcore.dll
2014-08-19 03:08:04    50176    ----a-w-    C:\Windows\System32\srclient.dll
2014-08-19 03:08:03    63488    ----a-w-    C:\Windows\System32\setbcdlocale.dll
2014-08-19 03:07:51    58880    ----a-w-    C:\Windows\System32\appidapi.dll
2014-08-19 03:07:51    32256    ----a-w-    C:\Windows\System32\appidsvc.dll
2014-08-19 03:07:33    296960    ----a-w-    C:\Windows\System32\rstrui.exe
2014-08-19 03:07:11    17920    ----a-w-    C:\Windows\System32\appidcertstorecheck.exe
2014-08-19 03:07:11    146944    ----a-w-    C:\Windows\System32\appidpolicyconverter.exe
2014-08-19 02:41:39    43008    ----a-w-    C:\Windows\SysWow64\srclient.dll
2014-08-19 02:41:22    50688    ----a-w-    C:\Windows\SysWow64\appidapi.dll
2014-08-19 02:06:56    61440    ----a-w-    C:\Windows\System32\drivers\appid.sys
2014-08-01 11:53:22    1031168    ----a-w-    C:\Windows\System32\TSWorkspace.dll
2014-08-01 11:35:06    793600    ----a-w-    C:\Windows\SysWow64\TSWorkspace.dll
.
============= FINISH:  9:33:42.05 ===============
 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 29 October 2014 - 07:30 AM

Hello,

My name is Elise and I'll assist you with this issue. 

It looks like you already ran RogueKiller, if you still have the log, can you please post it here?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 ddwebgurl

ddwebgurl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:18 PM

Posted 29 October 2014 - 10:05 AM

Couldn't seem to find the RogueKiller logs from 10/24. Since then, I realized it was a version back, so I downloaded the latest just now and ran it. Looks like the previous version missed something and it was deleted today. Here is the log:

 

RogueKiller V10.0.3.0 (x64) [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Michelle [Administrator]
Mode : Delete -- Date : 10/29/2014  11:01:21

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 9 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 373407338e820d2350ebf7a0f6b315cb
[BSP] c54064bffdb942485b1923ffc4196c2f : Lenovo MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 MB
User = LL1 ... OK
User != LL2 ... KO!
--- LL2 ---
[MBR] 437ef994b4f02f71ddeb1e91a2c698de
[BSP] be402c5f94c74e45728387ff42531d3c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 MB

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 6763aba251d84cebf2ce15888165bbe9
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 30535 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_10242014_081743.log - RKreport_SCN_10242014_081538.log - RKreport_SCN_10242014_081905.log - RKreport_SCN_10242014_082828.log
RKreport_SCN_10292014_105932.log



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 29 October 2014 - 10:40 AM

Good news, RogueKiller detected the malware, can you please rerun it, click Scan, then, when the scan is finished click the Delete button? Please post me the resulting log.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 ddwebgurl

ddwebgurl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:18 PM

Posted 29 October 2014 - 10:54 AM

Here is the most recent log, nothing is found after the scan :)  Does this mean it is cleaned or is there more to do?

 

RogueKiller V10.0.3.0 (x64) [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Michelle [Administrator]
Mode : Scan -- Date : 10/29/2014  11:48:29

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] 373407338e820d2350ebf7a0f6b315cb
[BSP] c54064bffdb942485b1923ffc4196c2f : Lenovo MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 MB
User = LL1 ... OK
User != LL2 ... KO!
--- LL2 ---
[MBR] 437ef994b4f02f71ddeb1e91a2c698de
[BSP] be402c5f94c74e45728387ff42531d3c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 MB


============================================
RKreport_DEL_10242014_081743.log - RKreport_DEL_10292014_110121.log - RKreport_SCN_10242014_081538.log - RKreport_SCN_10242014_081905.log
RKreport_SCN_10242014_082828.log - RKreport_SCN_10292014_105932.log - RKreport_SCN_10292014_111028.log



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 29 October 2014 - 12:22 PM

Its sure looking like it. :)

To be sure, could you post these two logs? They should be located in the RogueKiller folder (usually in c:\ or c:\programdata)

RKreport_DEL_10242014_081743.log

RKreport_DEL_10292014_110121.log


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 ddwebgurl

ddwebgurl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:18 PM

Posted 29 October 2014 - 12:34 PM

Ah, Program Data was hidden. No wonder I couldn't find the previous logs. Thank you!

 

RogueKiller V9.0.3.0 [Jun 17 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Michelle [Admin rights]
Mode : Remove -- Date : 10/24/2014  08:17:43

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | adawarebp_INSTALL_FOLDER : cmd.exe /c rmdir "C:\Users\Michelle\AppData\Local\adawarebp" /s /q [x] -> DELETED
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | adawarebp_INSTALL_FOLDER : cmd.exe /c rmdir "C:\Users\Michelle\AppData\Local\adawarebp" /s /q  -> ERROR [2]
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED
[Broken.Val] (X64) HKEY_CLASSES_ROOT\.exe\shell\open\command |  :   -> CREATED ("%1" %*)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[Suspicious.Path] \\{FE443100-B27C-488E-A941-D1B46F7ABFC5} -- C:\Windows\system32\pcalua.exe (-a "C:\Users\Michelle\Downloads\rescue2usb (2).exe" -d C:\Users\Michelle\Downloads) -> DELETED

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] 373407338e820d2350ebf7a0f6b315cb
[BSP] c54064bffdb942485b1923ffc4196c2f : Lenovo MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 MB
User = LL1 ... OK
User != LL2 ... KO!
--- LL2 ---
[MBR] 437ef994b4f02f71ddeb1e91a2c698de
[BSP] be402c5f94c74e45728387ff42531d3c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 MB

+++++ PhysicalDrive1: General UDisk USB Device +++++
--- User ---
[MBR] e94e61a989e92a04002dd133bd0f0ff9
[BSP] b345fcd8ec08276c1e0f6b6cd4c2dc3f : Unknown MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 MB
1 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 MB
2 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 MB
3 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 0 | Size: 1775989 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_10242014_081538.log

 

 

 

---------------------------------------------------------------------------------------------------------------------------

RogueKiller V10.0.3.0 (x64) [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Michelle [Administrator]
Mode : Delete -- Date : 10/29/2014  11:01:21

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 9 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 373407338e820d2350ebf7a0f6b315cb
[BSP] c54064bffdb942485b1923ffc4196c2f : Lenovo MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 MB
User = LL1 ... OK
User != LL2 ... KO!
--- LL2 ---
[MBR] 437ef994b4f02f71ddeb1e91a2c698de
[BSP] be402c5f94c74e45728387ff42531d3c : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1200 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2459648 | Size: 455738 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 935811072 | Size: 20000 MB

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 6763aba251d84cebf2ce15888165bbe9
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 30535 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_10242014_081743.log - RKreport_SCN_10242014_081538.log - RKreport_SCN_10242014_081905.log - RKreport_SCN_10242014_082828.log
RKreport_SCN_10292014_105932.log



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 29 October 2014 - 12:54 PM

[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-1333829067-3856881672-2834093404-1000\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted

 

This shows poweliks was indeed removed. :)

 

Do you have any problem left with the computer at this point? If not we can do just a check for possible remnants and check if all your software is up to date to prevent future infection.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 ddwebgurl

ddwebgurl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:18 PM

Posted 29 October 2014 - 01:01 PM

Nothing noticeable. The outbound ip notifications from malwarebytes have stopped, none at all since today's RogueKiller scan. What's next?



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 29 October 2014 - 01:07 PM

Your logs look quite good. Since you already ran MBAM, lets do one last scan to be sure there's nothing left on the system.

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .
  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 ddwebgurl

ddwebgurl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:18 PM

Posted 29 October 2014 - 02:28 PM

Scan completed and found two files that I am unsure what to do with:

 

Emsisoft Emergency Kit - Version 9.0

Last update: 10/29/2014 2:28:20 PM

User account:

 

Scan settings:

 

Scan type: Full Scan

Objects: Rootkits, Memory, Traces, C:\, Q:\

Detect PUPs: On

Scan archives: On

ADS Scan: On

File extension filter: Off

Advanced caching: On

Direct disk access: Off

 

Scan start: 10/29/2014 2:29:03 PM

C:\Users\Michelle\AppData\Local\adawarebp  detected: Application.AppInstall (A)

C:\Users\Michelle\AppData\Local\cre  detected: Application.AppInstall (A)

 

Scanned 218914

Found 2

Scan end: 10/29/2014 3:24:08 PM

Scan time: 0:55:05


Edited by ddwebgurl, 29 October 2014 - 02:29 PM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 29 October 2014 - 03:16 PM

One of them is also detected by roguekiller. Both objects are associated with potentially unwanted programs. They're perfectly harmless but associated with bundled installers that add programs without your clear consent. You can safely remove these objects.

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

I recommend you to set a new system restore point now that your computer is clean. Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. ...
Click the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.
After doing this you can delete all older restore points so that you have only one clean restore point.

Please read the following advice on how to prevent reinfecting your PC:
  • Install and update the following programs regularly:
  • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
    A comprehensive tutorial and a list of possible firewalls can be found here.
  • an AntiVirus Software
    It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
    Some more links you might find of interest:Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 ddwebgurl

ddwebgurl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:18 PM

Posted 29 October 2014 - 03:43 PM

Will do! Thank you so much for sharing your expertise :)



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,404 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 29 October 2014 - 03:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users