Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

So I ran some malaware programs and found ...


  • This topic is locked This topic is locked
11 replies to this topic

#1 h00man

h00man

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 09 December 2014 - 07:42 PM

Had some wierd locked programs in task maganer was why I initally ran programs.  Also I have no file edit etc on the top of my task manager. WMIprvSE.exe just showed up last night I've never seen it running before.  I am the admin should I not have rights to this ?  I also had a Taskhost.exe I believe it was called removed by Malaware programs running programs.  Also no admin privlideges on wlanext.exe , conhost.exe, WLIDSVCM.EXE.  In addition my http:// sites are running agonizingly slow.  Rest of internet seems fine when searching etc.  Like logging into your site had to refresh 3 times.  Also even getting to your forums I couldn't just click the link "forums"  I had to go to search bar and press enter refresh that way or it would of never loaded.
                                                                        
 
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/9/2014
Scan Time: 2:49:29 PM
Logfile: malaware log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.09.08
Rootkit Database: v2014.12.08.03
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Wal-Mart

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 358303
Time Elapsed: 19 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.OpenCandy, C:\Users\Wal-Mart\Downloads\AxCrypt-1.7.3156.0-Setup.exe, Quarantined, [2b9c5907c9b360d69d0a56375baaa060],

Physical Sectors: 0
(No malicious items detected)


(end)
 
# AdwCleaner v4.105 - Report created 09/12/2014 at 16:26:56
# Updated 08/12/2014 by Xplode
# Database : 2014-12-08.2 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Wal-Mart - WAL-MART-PC
# Running from : C:\Users\Wal-Mart\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\SecTaskMan
File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\safeguard-secure-search.xml
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\safeguard-secure-search.xml

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]

***** [ Browsers ] *****

-\\ Internet Explorer v0.0.0.0


-\\ Mozilla Firefox v33.1.1 (x86 en-US)


-\\ Google Chrome v39.0.2171.71


*************************
 
16:30:07.0482 0x0928  TDSS rootkit removing tool 3.0.0.41 Oct 28 2014 17:58:34
16:30:13.0924 0x0928  ============================================================
16:30:13.0924 0x0928  Current date / time: 2014/12/09 16:30:13.0924
16:30:13.0924 0x0928  SystemInfo:
16:30:13.0924 0x0928  
16:30:13.0924 0x0928  OS Version: 6.1.7601 ServicePack: 1.0
16:30:13.0924 0x0928  Product type: Workstation
16:30:13.0924 0x0928  ComputerName: WAL-MART-PC
16:30:13.0940 0x0928  UserName: Wal-Mart
16:30:13.0940 0x0928  Windows directory: C:\Windows
16:30:13.0940 0x0928  System windows directory: C:\Windows
16:30:13.0940 0x0928  Running under WOW64
16:30:13.0940 0x0928  Processor architecture: Intel x64
16:30:13.0940 0x0928  Number of processors: 2
16:30:13.0940 0x0928  Page size: 0x1000
16:30:13.0940 0x0928  Boot type: Normal boot
16:30:13.0940 0x0928  ============================================================
16:30:18.0058 0x0928  KLMD registered as C:\Windows\system32\drivers\23048855.sys
16:30:19.0104 0x0928  System UUID: {A0D41A90-284D-9442-229B-74196BFC5762}
16:30:20.0055 0x0928  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 ( 298.09 Gb ), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
16:30:20.0071 0x0928  ============================================================
16:30:20.0071 0x0928  \Device\Harddisk0\DR0:
16:30:20.0071 0x0928  MBR partitions:
16:30:20.0071 0x0928  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x63800
16:30:20.0071 0x0928  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x64000, BlocksNum 0x23789800
16:30:20.0071 0x0928  \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x237ED800, BlocksNum 0x1C0D000
16:30:20.0071 0x0928  \Device\Harddisk0\DR0\Partition4: MBR, Type 0xC, StartLBA 0x253FA800, BlocksNum 0x33AB0
16:30:20.0071 0x0928  ============================================================
16:30:20.0102 0x0928  C: <-> \Device\Harddisk0\DR0\Partition2
16:30:20.0211 0x0928  D: <-> \Device\Harddisk0\DR0\Partition3
16:30:20.0274 0x0928  E: <-> \Device\Harddisk0\DR0\Partition4
16:30:20.0274 0x0928  ============================================================
16:30:20.0274 0x0928  Initialize success
16:30:20.0274 0x0928  ============================================================
16:30:48.0166 0x0e30  KLMD registered as C:\Windows\system32\drivers\53690493.sys
16:30:48.0744 0x0e30  Deinitialize success

I did run combofix ... before reading your guidelines sorry ....
 
ComboFix 14-12-08.01 - Wal-Mart 12/09/2014  17:03:51.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3003.1940 [GMT -6:00]
Running from: c:\users\Wal-Mart\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {179979E8-273D-D14E-0543-2861940E4886}
FW: Kaspersky Internet Security *Disabled* {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}
SP: Kaspersky Internet Security *Disabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\Cache
c:\windows\SysWow64\Cache\075884af680ff6dc.fb
c:\windows\SysWow64\Cache\130d93ee715da39a.fb
c:\windows\SysWow64\Cache\227113dfa1ca894d.fb
c:\windows\SysWow64\Cache\49fbbc5a8678d502.fb
c:\windows\SysWow64\Cache\613e8ce7ab7106af.fb
c:\windows\SysWow64\Cache\633a76311867bd11.fb
c:\windows\SysWow64\Cache\691f14230153a9e1.fb
c:\windows\SysWow64\Cache\6cb409d7ac73d9f1.fb
c:\windows\SysWow64\Cache\7614bd6cfa99e546.fb
c:\windows\SysWow64\Cache\77664b6ccc36be9f.fb
c:\windows\SysWow64\Cache\881b3593316772f0.fb
c:\windows\SysWow64\Cache\98657d0579ae1930.fb
c:\windows\SysWow64\Cache\d5c0f4e7bbe35bf3.fb
c:\windows\SysWow64\Cache\d9ca663388d21ec0.fb
c:\windows\SysWow64\Cache\f2cda51fd108941f.fb
c:\windows\SysWow64\Cache\f34d8db84131d925.fb
.
.
(((((((((((((((((((((((((   Files Created from 2014-11-09 to 2014-12-09  )))))))))))))))))))))))))))))))
.
.
2014-12-09 23:11 . 2014-12-09 23:11    --------    d-----w-    c:\users\Kiosk\AppData\Local\temp
2014-12-09 23:11 . 2014-12-09 23:11    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-12-09 22:36 . 2014-12-09 22:36    35064    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-12-09 22:36 . 2014-12-09 22:36    --------    d-----w-    c:\programdata\RogueKiller
2014-12-09 21:18 . 2014-12-09 21:18    --------    d-----w-    c:\program files (x86)\Security Task Manager
2014-12-09 15:13 . 2014-12-09 15:13    --------    d-----w-    c:\program files (x86)\PrivaZer
2014-12-09 12:54 . 2014-12-09 19:27    --------    d-----w-    c:\users\Wal-Mart\AppData\Local\PrivaZer
2014-12-09 12:54 . 2014-12-09 12:54    --------    d-----w-    c:\programdata\privazer
2014-12-04 16:28 . 2014-12-04 16:28    --------    d-----w-    c:\program files\Defraggler
2014-12-04 15:18 . 2014-12-04 15:22    --------    d-----w-    c:\program files\Recuva
2014-12-04 13:13 . 2014-12-09 16:43    --------    d-----w-    c:\program files\CCleaner
2014-12-04 12:04 . 2014-12-04 12:04    --------    d-sh--w-    c:\windows\SysWow64\AI_RecycleBin
2014-12-04 10:22 . 2014-12-04 10:45    --------    d-----w-    c:\users\Wal-Mart\AppData\Roaming\TrueCrypt
2014-12-02 01:52 . 2014-12-02 01:52    129752    ----a-w-    c:\windows\system32\drivers\0A041038.sys
2014-12-01 13:55 . 2014-11-14 02:43    48240    ----a-w-    c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2014-11-29 22:28 . 2013-05-06 15:13    110176    ----a-w-    c:\windows\system32\klfphc.dll
2014-11-29 22:27 . 2014-11-29 22:27    --------    d-----w-    c:\windows\ELAMBKUP
2014-11-29 22:27 . 2014-11-29 22:27    --------    d-----w-    c:\program files (x86)\Kaspersky Lab
2014-11-29 22:26 . 2014-08-13 00:33    246456    ----a-w-    c:\windows\system32\drivers\klhk.sys
2014-11-29 20:43 . 2014-12-09 22:26    --------    d-----w-    C:\AdwCleaner
2014-11-29 20:07 . 2014-12-09 23:00    --------    d-----w-    c:\programdata\Kaspersky Lab
2014-11-29 19:42 . 2014-11-29 22:30    --------    d-----w-    c:\programdata\Kaspersky Lab Setup Files
2014-11-29 15:34 . 2014-11-29 15:34    --------    d-----w-    c:\programdata\Panda Security
2014-11-28 20:35 . 2014-11-29 01:00    --------    d-----w-    c:\users\Wal-Mart\AppData\Roaming\DVD Flick
2014-11-28 20:35 . 2008-08-31 19:27    28672    ----a-w-    c:\windows\SysWow64\mousewheel.ocx
2014-11-28 20:35 . 2007-09-01 00:36    36864    ----a-w-    c:\windows\SysWow64\trayicon_handler.ocx
2014-11-28 20:35 . 2004-03-09 06:00    662288    ----a-w-    c:\windows\SysWow64\mscomct2.ocx
2014-11-28 20:35 . 2004-03-09 06:00    609824    ----a-w-    c:\windows\SysWow64\comctl32.ocx
2014-11-28 20:35 . 2003-01-26 19:41    40960    ----a-w-    c:\windows\SysWow64\ssubtmr6.dll
2014-11-28 20:35 . 1998-06-24 06:00    164144    ----a-w-    c:\windows\SysWow64\comct232.ocx
2014-11-28 20:34 . 2004-03-09 06:00    212240    ----a-w-    c:\windows\SysWow64\richtx32.ocx
2014-11-23 08:38 . 2014-12-09 19:26    --------    d-----w-    c:\users\Wal-Mart\AppData\Roaming\dvdcss
2014-11-21 23:10 . 2014-12-09 19:26    --------    d-----w-    c:\users\Wal-Mart\AppData\Roaming\vlc
2014-11-20 16:09 . 2009-07-14 01:40    38912    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\EP0NPP01.DLL
2014-11-20 11:25 . 2014-11-20 11:25    --------    d-----w-    c:\users\Wal-Mart\AppData\Roaming\Template
2014-11-18 21:47 . 2014-11-11 03:08    241152    ----a-w-    c:\windows\system32\pku2u.dll
2014-11-18 21:47 . 2014-11-11 03:08    728064    ----a-w-    c:\windows\system32\kerberos.dll
2014-11-18 21:47 . 2014-11-11 02:44    186880    ----a-w-    c:\windows\SysWow64\pku2u.dll
2014-11-18 21:47 . 2014-11-11 02:44    550912    ----a-w-    c:\windows\SysWow64\kerberos.dll
2014-11-17 05:01 . 2014-11-17 05:01    --------    d-----w-    c:\users\Wal-Mart\AppData\Roaming\Apple Computer
2014-11-17 05:01 . 2014-11-17 05:01    --------    d-----w-    c:\users\Wal-Mart\AppData\Local\Apple Computer
2014-11-17 05:01 . 2014-11-17 05:01    --------    d-----w-    c:\users\Wal-Mart\AppData\Roaming\TideSDK
2014-11-16 05:05 . 2014-11-16 05:05    --------    d-sh--w-    c:\users\Wal-Mart\AppData\Local\EmieBrowserModeList
2014-11-14 18:47 . 2014-11-14 18:47    --------    d-----w-    c:\programdata\Riot Games
2014-11-14 14:22 . 2014-08-29 02:07    3179520    ----a-w-    c:\windows\system32\rdpcorets.dll
2014-11-14 14:22 . 2014-05-08 09:32    16384    ----a-w-    c:\windows\system32\RdpGroupPolicyExtension.dll
2014-11-14 14:22 . 2014-09-05 01:52    5703168    ----a-w-    c:\windows\SysWow64\mstscax.dll
2014-11-14 14:22 . 2014-09-05 02:11    6584320    ----a-w-    c:\windows\system32\mstscax.dll
2014-11-14 05:10 . 2014-12-09 20:47    129752    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-14 04:59 . 2014-12-07 13:07    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-14 04:59 . 2014-11-21 12:14    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-11-14 04:59 . 2014-11-21 12:14    93400    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-11-14 04:59 . 2014-11-21 12:14    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-11-14 04:59 . 2014-11-14 04:59    --------    d-----w-    c:\programdata\Malwarebytes
2014-11-14 04:58 . 2014-11-14 04:58    --------    d-----w-    c:\users\Wal-Mart\AppData\Local\Programs
2014-11-14 03:27 . 2013-10-02 01:10    44544    ----a-w-    c:\windows\system32\TsUsbGDCoInstaller.dll
2014-11-14 03:26 . 2012-08-23 14:10    19456    ----a-w-    c:\windows\system32\drivers\rdpvideominiport.sys
2014-11-14 03:25 . 2012-08-23 11:12    192000    ----a-w-    c:\windows\SysWow64\rdpendp_winip.dll
2014-11-14 03:25 . 2012-08-23 14:13    243200    ----a-w-    c:\windows\system32\rdpudd.dll
2014-11-14 03:25 . 2012-08-23 10:51    228864    ----a-w-    c:\windows\system32\rdpendp_winip.dll
2014-11-13 12:33 . 2014-08-21 06:43    1882624    ----a-w-    c:\windows\system32\msxml3.dll
2014-11-13 12:32 . 2014-10-18 02:05    861696    ----a-w-    c:\windows\system32\oleaut32.dll
2014-11-13 12:32 . 2014-10-18 01:33    571904    ----a-w-    c:\windows\SysWow64\oleaut32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-29 23:01 . 2014-08-14 01:34    77512    ----a-w-    c:\windows\system32\drivers\klwtp.sys
2014-11-29 23:01 . 2014-08-21 00:04    818888    ----a-w-    c:\windows\system32\drivers\klif.sys
2014-11-29 23:01 . 2014-08-18 20:43    150536    ----a-w-    c:\windows\system32\drivers\klflt.sys
2014-11-26 12:29 . 2013-06-27 15:33    701104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-26 12:29 . 2011-08-17 03:01    71344    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-13 21:02 . 2010-11-14 23:39    103374192    ----a-w-    c:\windows\system32\MRT.exe
2014-10-04 23:19 . 2012-12-15 15:52    532    ----a-w-    c:\windows\system32\ASOROSet.bin
2014-09-25 02:08 . 2014-10-01 10:53    371712    ----a-w-    c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-01 10:53    519680    ----a-w-    c:\windows\SysWow64\qdvd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-09-29 1685048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-09-12 959176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]
R3 GamesAppIntegrationService;GamesAppIntegrationService;c:\program files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys;c:\windows\SYSNATIVE\DRIVERS\ssmirrdr.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 cm_km_w;Kaspersky Lab Crypto Module (FDE PDK);c:\windows\system32\DRIVERS\cm_km_w.sys;c:\windows\SYSNATIVE\DRIVERS\cm_km_w.sys [x]
S1 klhk;klhk;c:\windows\system32\DRIVERS\klhk.sys;c:\windows\SYSNATIVE\DRIVERS\klhk.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys [x]
S1 klpd;klpd;c:\windows\system32\DRIVERS\klpd.sys;c:\windows\SYSNATIVE\DRIVERS\klpd.sys [x]
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys [x]
S1 Klwtp;Klwtp;c:\windows\system32\DRIVERS\klwtp.sys;c:\windows\SYSNATIVE\DRIVERS\klwtp.sys [x]
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 AVP15.0.1;Kaspersky Anti-Virus Service 15.0.1;c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe;c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\avp.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 kldisk;kldisk;c:\windows\system32\DRIVERS\kldisk.sys;c:\windows\SYSNATIVE\DRIVERS\kldisk.sys [x]
S2 USTSScheduler;US Tech Support Scheduling Service;c:\program files (x86)\USTechSupport\SchedulerService\SchedulerService.exe;c:\program files (x86)\USTechSupport\SchedulerService\SchedulerService.exe [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 klflt;Kaspersky Lab Kernel DLL;c:\windows\system32\DRIVERS\klflt.sys;c:\windows\SYSNATIVE\DRIVERS\klflt.sys [x]
S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys;c:\windows\SYSNATIVE\DRIVERS\klkbdflt.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys;c:\windows\SYSNATIVE\DRIVERS\klmouflt.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-02-22 18:38    451872    ----a-w-    c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-11-29 23:12    1087304    ----a-w-    c:\program files (x86)\Google\Chrome\Application\39.0.2171.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-30 12:29]
.
2014-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-29 12:33]
.
2014-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-29 12:33]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-07-28 6489704]
"RtkOSD"="c:\program files (x86)\Realtek\Audio\OSD\RtVOsd64.exe" [2010-01-13 995840]
"HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-01-18 451072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{09A10376-994C-4BBF-9121-F50CF7BA237E} - {F2A56BFE-7911-451A-BC74-A9C3C2E95126} - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\IEExt\ie_plugin.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Wal-Mart\AppData\Roaming\Mozilla\Firefox\Profiles\j0zc2xm9.default\
FF - prefs.js: network.proxy.type - 2
FF - ExtSQL: !HIDDEN! 2013-08-11 09:15; 4zffxtbr@VideoDownloadConverter_4z.com; c:\program files (x86)\VideoDownloadConverter_4z\bar\1.bin
FF - ExtSQL: !HIDDEN! 2013-08-12 14:33; 1gffxtbr@InboxAce_1g.com; c:\program files (x86)\InboxAce_1g\bar\1.bin
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-40411025.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_239_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_239_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_239_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_239_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-09  17:15:01
ComboFix-quarantined-files.txt  2014-12-09 23:15
.
Pre-Run: 211,432,579,072 bytes free
Post-Run: 211,268,751,360 bytes free
.
- - End Of File - - 24911B9DCDCD34CF2D4C45171C76C09C
 
Anyways got a bunch of locked folders now idk if thats normal or if its trying to protect me from something ... help please.  Sorry this is a bit off my skill chart.


Edited by h00man, 10 December 2014 - 03:57 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 PM

Posted 14 December 2014 - 07:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/559243 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 h00man

h00man
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 15 December 2014 - 01:23 PM

When I try to attach requested document I get error 302



#4 h00man

h00man
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 15 December 2014 - 01:26 PM

I'm having multiple issues, malware, spyware, toolbar, browser hijackers, tasks that shouldn't be running, had problems with permission to my host file, fixxed that with hosts-perm.  Have Ran ADW, Rkill, TDSSkiller, Roguekiller, JRT, roguekiller  and tdss I ran not updated versions offline so I updated and ran again .. also my roguekiller wasn't a 64 bit version so I replaced it and ran it again as well.  So my logs if I posted wouldn't be accurate.  I DLed a winzip free version with bunch of ads in it .. got rid of duck duck go with spybot.  I replaced with peazip... here is my dds report I've done so much stuff I forgot which file you guys wanted zipped so I did it to both hope thats ok.  Let me know what to do .. about to just run recovery from partition and wipe computer... reinstall everything... idk if that will even remove some deep rooted stuff though.  Thanks :)

Attached Files


Edited by h00man, 15 December 2014 - 01:35 PM.


#5 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 PM

Posted 16 December 2014 - 06:35 AM

Hi h00man,

Welcome to the BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum. :welcome:
My name is Mako and I will be helping you with your computer problems.

Before we begin, please note the following:

  • Please stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • The instructions given are for your system only!
  • Please do not run any tools until requested! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • If you don't understand something don't hesitate to ask before running the tools.
  • As you may have noticed: I live in Belgium. Meaning that due to the time difference it can take some time before I'm able to get back to you. Please allow me 24h to reply to your topic before sending me a PM or giving this topic a bump.

Now let's get started...
 
I see you've tried already a ton of different tools and programs. Some of which not a useful as the others, some more dangerous than the others.
Since the DDS log is the most recent update of your computer I will be working forward from that point on. I'll try to keep in mind which tools you've already used, but never the less there is quite a chance you'll have to run a specific tool again.
 
Try to stick to these tools only since running other programs in the meantime may hamper the recovery process.

:step1: ======Zoek.exe======

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Download 51a612a8b27e2-Zoek.pngzoek.exe to your desktop

  • If Internet Explorer, any other browser, or a security program issues a warning indicating the file is unsafe, please ignore, since it is a false warning.

Using Zoek.exe

  • On the Desktop, double-click Zoek.exe to start the tool.
    Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
    Give the program a few seconds to appear.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
    torpigcheck;
    filesrcm;
    startupall;
    chromelook;
    firefoxlook;
    skipfix-iedefaults;
    C:\ProgramData\InstallMate;fs
    emptyclsid;
    
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive.
  • Please post the logfile for further review in your next comment.

:step2: ====Eset Online Scanner====

Visit the 51a5de408905c-th_EsetLogo.pngESET Online Scanner website.

  • Click the ESET Online Scanner button
  • Check the box next to YES, I accept the Terms of Use
  • Click Start
  • When prompted, accept the installation of ActiveX Control
  • Now click "Advanced settings"
  • Make sure to check the following options:
    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Your computer is now being scanned. This can take a while so please wait patiently.
  • When finished you may close your internet browser.
  • Attach the file named "Log.txt" to your next reply (You can find the file in the following folder: "C:\Program Files\EsetOnlineScanner\log.txt")

Edited by Mako, 16 December 2014 - 06:36 AM.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#6 h00man

h00man
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 16 December 2014 - 03:36 PM

zoek log

Attached Files



#7 h00man

h00man
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 16 December 2014 - 03:52 PM

Attatch thanks for your help

Attached Files

  • Attached File  log.txt   1.31KB   4 downloads

Edited by h00man, 16 December 2014 - 03:53 PM.


#8 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 PM

Posted 16 December 2014 - 03:59 PM

Hello h00man,
 
Thanks for the log files. You said there were some tasks that shouldn't be running. Can you tell me which one(s)?

:step1: ====Zoek.exe====

Start 51a612a8b27e2-Zoek.pngZoek.exe again.

Take action to disable your antivirus and antispyware programs, as they may conflict with Zoek.exe
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Using Zoek.exe

  • On the Desktop, double-click Zoek.exe to start the tool.
    Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
    Give the program a few seconds to appear.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this system only, do not use it on any other computer even if the problems are similar.
    autoclean;
    emptyfolderscheck;delete
    
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive.
  • Please post the logfile for further review in your next comment.

 

:step2: ====AdwCleaner===

Please download 536cf876403ee-AdwCleaner_Icon.pngAdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator

  • The tool will start to update the database, please wait a bit.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#9 h00man

h00man
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 16 December 2014 - 09:56 PM

Well things didn't work quite as intended, sorry if I messed up our process we got going, but I'll try to be as detailed as possible in my response.  So I used zoek as requested and also when I used your Eset scanner (I use firefox refuse to use internet explorer) it would not let me run it directly from their website.. said it would need to be opened in a separate window.  So I agreed DLed updated virus definitions etc.  Well now I notice it also put a couple new freeware items in my program files (x86) folder.  Juno preuploader and Netzero preuploader.  These are not in my listed programs that are installed.. so I don't know if they are hiding or if they are there hoping I would install them.  In addition you Eset scanner tool removed my zenmate add on(which I like very much unless it is indeed malware).  So then I was getting some proxy error message which would not let me get back to forums... so I had this issue before and ran roguekiller and it reset my proxy for me.  So I did run roguekiller again to make it back to the forums.. Also after running rogue killer my Win patrol picked up my homepage being changed ... I figured this was from after running roguekiller..  Anyways here is my  previous homepage and my new one.  Also included is a zip file of my running tasks.. maybe you could tell me which ones should/shouldn't be running.  I think its weird I don't have admin access to those 3, but I am the admin of computer.  I am also getting weird cpu spike usuages coming from my firefox browser.  its usually at around 2-20 % ... its now jumping to 46-71% and back down again.  *Seems to be mainly on facebook*  Also when I close window at top ..a lot of times firefox will continue to run in processes until I manually end it.
Previous:  http://www.microsoft.com/isapi/redir.dll?prd=iear=iesearch
New: http;//go.microsoft.com/fwlink/?LinkId=54896
Now I got into my firefox settings and the homepage is set to "Firefox home page"  not either of those 2..
Thanks in advance for your response ;).

Attached Files


Edited by h00man, 17 December 2014 - 07:20 AM.


#10 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 PM

Posted 17 December 2014 - 11:24 AM

Hello h00man,
 
Thank you for the profound explanation, much appreciated.
I took a look at the ESET scan results but there isn't anything mentioned about the removal of the zenmate add. I believe it must be Zoek.exe who's responsible for this action:

C:\Users\Wal-Mart\AppData\Roaming\Mozilla\Firefox\Profiles\j0zc2xm9.default\extensions\firefox@zenmate.com.xpi deleted

I've notified the programmer of this tool and asked why this is automatically deleted. If you want you can re-install the plug-in or we can try to restore the file. Your call.
 
Concerning the tasks that are running and the image you've attached. There is nothing to worry about: all these processes are legit and are of no harm, even the ones you've mentioned in your first post.
 
Let's see if we can track down some remaining adware/malware or the specific folders you told me about. I find it strange to believe the ESET online scanner would have created these folders on your hard drive.

:step1: ====ZHPDiag====

Download ZHPDiag to your desktop.

Take action to disable your antivirus and antispyware programs, as they may conflict with ZHPDiag
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Installing ZHPDiag

  • Double-click zhpdiag.exe to start the installation.
  • Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
  • Click multiple times "Suivant" in the installation process.
  • Click "Installer" when asked and "Terminer" once the installation is complete.

Running ZHPDiag

  • Double-click the shortcut ZHPDiag on your desktop.
  • The user interface will appear, now select "Configureren".
  • If the tools default language isn't set to English, click in the bottom right corner on the 52c0016c69f81-huisje.pngicon "Sélectionner une langue" and choose "Anglais".
  • Next, click on the 52c001f7eec91-vergrootglas.png icon in the bottom left "Diagnostic Options".
  • ZHPDiag is now scanning your computer. Please wait patiently until the scan is finished.

The ZHPDiag.txt logfile

  • When finished, a logfile named "ZHPDiag.txt" will appear on your desktop.
  • Please post the logfile for further review in your next comment.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#11 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 PM

Posted 20 December 2014 - 11:07 AM

Hello h00man,

 

It's been a while since I've heard something from you... are you still with me?

Please reply to this thread within 24h otherwise it will be closed.

 

Respectfully,

Mako 


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#12 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:46 PM

Posted 21 December 2014 - 12:00 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users