Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected Win32:Evo-gen, PUM.Dns, Rootkit, help


  • This topic is locked This topic is locked
25 replies to this topic

#1 Lorelai001

Lorelai001

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 12 December 2014 - 01:43 PM

Yesterday Avast warned me of and infection with:

Win32Evo-gen[susp]
SVC:Bonjour Service>
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Bonjour\mdnsNSP.dll

I opted for deletion, but it reappeared on restarting Windows 7. Bonjour comes with Photoshop being installed, but I did that a month ago, only recently did a problem appear. I suspect maybe getting infected, if it's the case, via USB stick. Internet was a bit slow these last days, showing slow to load web pages but no other symptopms. I downloaded a program to delete Bonjour. Avast stopped showing any issues ever since.
I used other virus and malware detection programs and found nothing, but I used RogueKiller and it found some issues.
I used: ADWCleaner, TDSSKiller, EsetNod32 downloadable version of online scan, RKill, they showed nothing.

This is what RogueKiller found:

RogueKiller V10.1.0.0 [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : diana [Administrator]
Mode : Scan -- Date : 12/12/2014  20:03:45

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A4B61B4E-76AB-4AB3-B141-AAA9CC396715} | DhcpNameServer : 192.168.1.1 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A4B61B4E-76AB-4AB3-B141-AAA9CC396715} | DhcpNameServer : 192.168.1.1 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{A4B61B4E-76AB-4AB3-B141-AAA9CC396715} | DhcpNameServer : 192.168.1.1 0.0.0.0 [(Private Address) (XX)]  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive1:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! ([32] The request is not supported. )
Error reading LL2 MBR! ([32] The request is not supported. )


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-12-2014 02
Ran by diana (administrator) on DIANA-PC on 12-12-2014 20:57:06
Running from C:\Users\diana\Downloads
Loaded Profile: diana (Available profiles: diana)
Platform: Microsoft Windows 7 Ultimate  (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
() C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5226600 2014-12-06] (AVAST Software)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31072 2008-10-25] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1551030260-678294276-1226032098-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Winsock: Catalog5 01 C:\Windows\system32\NLAapi.dll [51712] (Microsoft Corporation)
Winsock: Catalog5 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog5 03 C:\Windows\system32\winrnr.dll [20992] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Winsock: Catalog5 05 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Winsock: Catalog5 06 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll File Not found ()
Winsock: Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 19 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 20 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 21 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 22 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 23 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Winsock: Catalog9 24 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 0.0.0.0

FireFox:
========
FF ProfilePath: C:\Users\diana\AppData\Roaming\Mozilla\Firefox\Profiles\o4etf1a5.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Adblock Plus - C:\Users\diana\AppData\Roaming\Mozilla\Firefox\Profiles\o4etf1a5.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-11-10]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-11-05]

Chrome:
=======
CHR Profile: C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-11-06]
CHR Extension: (Google Docs) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-06]
CHR Extension: (Google Drive) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-06]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-06]
CHR Extension: (YouTube) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-06]
CHR Extension: (Google Search) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-06]
CHR Extension: (Google Sheets) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-06]
CHR Extension: (Avast Online Security) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-11-06]
CHR Extension: (Google Wallet) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-06]
CHR Extension: (Gmail) - C:\Users\diana\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-06]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-06]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdobeActiveFileMonitor5.0; C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [108712 2006-12-22] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-06] (AVAST Software)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2014-11-07] (Macrovision Europe Ltd.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdide; C:\Windows\System32\DRIVERS\amdide.sys [11944 2012-12-03] (Advanced Micro Devices Inc.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-12-06] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [70384 2014-12-06] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81768 2014-12-06] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-12-06] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [787800 2014-12-06] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423784 2014-12-06] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [91496 2014-12-06] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [206248 2014-12-06] ()
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-12-12] (Malwarebytes Corporation)
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [20640 2014-11-09] (Sonic Solutions) [File not signed]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-12 20:57 - 2014-12-12 20:58 - 00010463 _____ () C:\Users\diana\Downloads\FRST.txt
2014-12-12 20:56 - 2014-12-12 20:57 - 00000000 ____D () C:\FRST
2014-12-12 20:55 - 2014-12-12 20:55 - 01111040 _____ (Farbar) C:\Users\diana\Downloads\FRST.exe
2014-12-12 20:49 - 2014-12-12 20:50 - 02166272 _____ () C:\Users\diana\Downloads\adwcleaner_4.105.exe
2014-12-12 20:38 - 2014-12-12 20:38 - 00002270 _____ () C:\Users\diana\Desktop\RKreport_SCN_12122014_200345.log
2014-12-12 19:21 - 2014-12-12 19:21 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-12-12 19:21 - 2014-12-12 19:21 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-12-12 19:18 - 2014-12-12 19:18 - 15201368 _____ () C:\Users\diana\Desktop\RogueKiller.exe
2014-12-12 03:44 - 2014-12-12 03:45 - 00002004 _____ () C:\Users\diana\Desktop\Rkill.txt
2014-12-12 03:43 - 2014-12-12 03:43 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\diana\Desktop\iExplore.exe
2014-12-12 00:07 - 2014-12-12 00:07 - 04184008 _____ (Kaspersky Lab ZAO) C:\Users\diana\Downloads\tdsskiller.exe
2014-12-09 12:32 - 2014-12-09 12:33 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-12-06 15:14 - 2014-12-06 15:14 - 00291352 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-12-06 15:14 - 2014-12-06 15:14 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-11-13 01:04 - 2014-11-13 01:04 - 00000000 ____D () C:\Program Files\ESET
2014-11-13 01:00 - 2014-11-13 01:00 - 02347384 _____ (ESET) C:\Users\diana\Desktop\esetsmartinstaller_enu.exe
2014-11-13 00:27 - 2014-11-13 00:27 - 00001213 _____ () C:\Users\diana\Desktop\AdwCleaner[S0].txt
2014-11-13 00:17 - 2014-12-12 20:53 - 00000000 ____D () C:\AdwCleaner

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-12 20:48 - 2014-11-06 22:21 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-12 20:48 - 2014-11-05 12:31 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-12 18:23 - 2014-11-05 22:09 - 00212493 _____ () C:\Windows\WindowsUpdate.log
2014-12-12 04:08 - 2009-07-14 06:34 - 00014016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-12 04:08 - 2009-07-14 06:34 - 00014016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-12 04:02 - 2009-07-14 06:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-12 04:02 - 2009-07-14 06:39 - 00020521 _____ () C:\Windows\setupact.log
2014-12-12 00:20 - 2014-11-09 13:45 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-10 18:48 - 2014-11-06 22:21 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-12-10 18:48 - 2014-11-06 22:20 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-12-10 13:58 - 2014-11-06 20:38 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-12-09 09:59 - 2014-11-05 12:20 - 00713888 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-06 15:20 - 2014-11-05 20:33 - 00010682 _____ () C:\Windows\PFRO.log
2014-12-06 15:14 - 2014-11-05 12:38 - 00002045 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2014-12-06 15:14 - 2014-11-05 12:37 - 00787800 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2014-12-06 15:14 - 2014-11-05 12:37 - 00423784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2014-12-06 15:14 - 2014-11-05 12:37 - 00206248 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2014-12-06 15:14 - 2014-11-05 12:37 - 00091496 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2014-12-06 15:14 - 2014-11-05 12:37 - 00081768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2014-12-06 15:14 - 2014-11-05 12:37 - 00070384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2014-12-06 15:14 - 2014-11-05 12:37 - 00049944 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2014-12-06 15:14 - 2014-11-05 12:37 - 00024184 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-12-06 14:54 - 2014-11-09 13:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-06 14:54 - 2014-11-09 13:44 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-21 06:14 - 2014-11-09 13:44 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-21 06:14 - 2014-11-09 13:44 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-21 06:14 - 2014-11-09 13:44 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-20 11:47 - 2014-11-05 12:16 - 00000000 ____D () C:\Users\diana
2014-11-13 10:43 - 2014-11-05 12:31 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

Some content of TEMP:
====================
C:\Users\diana\AppData\Local\Temp\dllnt_dump.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-05 03:48

==================== End Of Log ============================


Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-12-2014 02
Ran by diana at 2014-12-12 20:59:08
Running from C:\Users\diana\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 2 (SP2) (Version:  - Microsoft) Hidden
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Photoshop CS3 (HKLM\...\Adobe_2ac78060bc5856b0c1cf873bb919b58) (Version: 10.0 - Adobe Systems Incorporated)
Adobe Photoshop Elements 5.0 (HKLM\...\Adobe Photoshop Elements 5) (Version: 5.0 - Adobe Systems Inc.)
Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Avast Free Antivirus (HKLM\...\Avast) (Version: 10.0.2208 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
CorelDRAW Graphics Suite X5 - Capture (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Common (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Connect (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Custom Data (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Draw (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - EN (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Filters (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - FontNav (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - IPM (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - PHOTO-PAINT (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Photozoom Plugin (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Redist (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - Setup Files (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - VBA (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - VideoBrowser (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - VSTA (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 - WT (Version: 15.0 -  Corel Corporation) Hidden
CorelDRAW Graphics Suite X5 (Version: 15.0 - Corel Corporation) Hidden
CorelDRAW® Graphics Suite X5 (HKLM\...\_{CE54DCE1-E00A-4D91-ACB9-A2D916C24051}) (Version: 15.0.0.486 - Corel Corporation)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
Google Chrome (HKLM\...\{22ACCF34-7FF3-3990-B0DA-697C8A16F121}) (Version: 66.19.16495 - Google, Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.232 - SurfRight B.V.)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6425.1000 - Microsoft Corporation)
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 33.0.2 - Mozilla)
PDF Settings (Version: 1.0 - Adobe Systems Incorporated) Hidden
Skype™ 6.21 (HKLM\...\{1845470B-EB14-4ABC-835B-E36C693DC07D}) (Version: 6.21.104 - Skype Technologies S.A.)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Winamp (HKLM\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
WinRAR 5.11 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.0 - win.rar GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

12-12-2014 07:53:32 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:04 - 2009-06-10 23:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0619A651-9FFB-494E-9704-F55B809D730B} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-12-06] (AVAST Software)
Task: {328D3299-B531-4631-A72B-FFABC436367A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-11-05] (Google Inc.)
Task: {529FEF0D-C726-41A8-8A5B-9C0278D2F3EE} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-30] (Piriform Ltd)
Task: {7B800474-EF3D-4188-A598-967D62B313CC} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-10] (Adobe Systems Incorporated)
Task: {D326F490-9E12-485C-98E1-433D474A464E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-11-05] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2014-12-11 13:40 - 2014-12-11 13:40 - 02905600 _____ () C:\Program Files\AVAST Software\Avast\defs\14121100\algo.dll
2006-12-22 07:31 - 2006-12-22 07:31 - 00108712 _____ () C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
2014-12-06 15:14 - 2014-12-06 15:14 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2014-12-09 12:32 - 2014-12-09 12:33 - 03758192 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe Photo Downloader => "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

========================= Accounts: ==========================

Administrator (S-1-5-21-1551030260-678294276-1226032098-500 - Administrator - Disabled)
diana (S-1-5-21-1551030260-678294276-1226032098-1000 - Administrator - Enabled) => C:\Users\diana
Guest (S-1-5-21-1551030260-678294276-1226032098-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: H:\
Description: R5C822
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Microsoft
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/08/2014 05:06:12 PM) (Source: EventSystem) (EventID: 4621) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}SENS Logon Subscription

Error: (12/06/2014 03:15:43 PM) (Source: EventSystem) (EventID: 4621) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}SENS Logon Subscription

Error: (12/06/2014 03:13:18 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {e0cfcb81-83a6-483d-a368-c3639beaff92}

Error: (12/02/2014 10:25:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 33.1.0.5423, time stamp: 0x545c0a59
Faulting module name: mozalloc.dll, version: 33.1.0.5423, time stamp: 0x545be5ee
Exception code: 0x80000003
Fault offset: 0x00001425
Faulting process id: 0x13c8
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (12/02/2014 10:25:48 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 33.1.0.5423 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: bd0

Start Time: 01d00d612faf420f

Termination Time: 1296

Application Path: C:\Program Files\Mozilla Firefox\firefox.exe

Report Id: 5e0dabbe-7a61-11e4-9253-0019b96712cf

Error: (11/26/2014 03:23:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FlashPlayerPlugin_15_0_0_239.exe, version: 15.0.0.239, time stamp: 0x546d18b1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x141c
Faulting application start time: 0xFlashPlayerPlugin_15_0_0_239.exe0
Faulting application path: FlashPlayerPlugin_15_0_0_239.exe1
Faulting module path: FlashPlayerPlugin_15_0_0_239.exe2
Report Id: FlashPlayerPlugin_15_0_0_239.exe3

Error: (11/22/2014 11:34:56 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: The specified server cannot perform the requested operation.
.

Error: (11/22/2014 11:34:42 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: The specified server cannot perform the requested operation.
.

Error: (11/22/2014 11:34:30 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: The specified server cannot perform the requested operation.
.

Error: (11/22/2014 11:34:22 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: This operation returned because the timeout period expired.
.


System errors:
=============
Error: (12/12/2014 01:53:53 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 192.168.1.3 with the system
having network hardware address 00-19-7E-47-DC-F6. Network operations on this system may
be disrupted as a result.

Error: (12/12/2014 05:19:07 AM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.

Error: (12/12/2014 05:14:25 AM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/11/2014 09:37:30 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (12/10/2014 10:00:59 PM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (12/10/2014 03:26:26 PM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.

Error: (12/10/2014 02:16:02 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (12/10/2014 11:59:45 AM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.

Error: (12/10/2014 00:59:56 AM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (12/09/2014 03:10:20 PM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: AMD Turion™ 64 X2 Mobile Technology TL-52
Percentage of memory in use: 93%
Total physical RAM: 894.05 MB
Available physical RAM: 60.32 MB
Total Pagefile: 2415.05 MB
Available Pagefile: 1012.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1897.66 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:29.19 GB) (Free:13.2 GB) NTFS
Drive d: (Diana Local Disk) (Fixed) (Total:29.29 GB) (Free:2.88 GB) NTFS
Drive e: (Diana Local Disk) (Fixed) (Total:53.19 GB) (Free:7.69 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: 00000080)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=29.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=82.5 GB) - (Type=OF Extended)

==================== End Of Log ============================


Edited by Lorelai001, 12 December 2014 - 02:11 PM.


BC AdBot (Login to Remove)

 


m

#2 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 15 December 2014 - 12:35 PM

I also ran aswMBR and it apparently detected a Rootkit.TDSS.v2 / ZeroAccess Rootkit 
This is the log from aswMBR. Please help me!!

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2014-12-15 18:18:13
-----------------------------
18:18:13.735    OS Version: Windows 6.1.7600
18:18:13.735    Number of processors: 2 586 0x4802
18:18:13.750    ComputerName: DIANA-PC  UserName: diana
18:18:15.469    Initialize success
18:18:15.516    VM: initialized successfully
18:18:15.547    VM: Amd CPU virtualization not supported
18:18:21.719    AVAST engine defs: 14121500
18:18:32.719    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:18:32.719    Disk 0 Vendor: SAMSUNG_HM120JI YF100-15 Size: 114473MB BusType: 3
18:18:32.735    Disk 1  \Device\Harddisk1\DR1 -> \Device\0000006b
18:18:32.750    Disk 1 Vendor: RICOH 01 Size: 114473MB BusType: 0
18:18:32.891    Disk 0 MBR read successfully
18:18:32.891    Disk 0 MBR scan
18:18:32.922    Disk 0 Windows 7 default MBR code
18:18:32.938    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
18:18:32.954    Disk 0 Boot: NTFS     code=2
18:18:33.000    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        29895 MB offset 206848
18:18:33.016    Disk 0 Partition - 00     0F Extended LBA             84466 MB offset 61432560
18:18:33.047    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        29996 MB offset 61432623
18:18:33.063    Disk 0 Partition - 00     05     Extended             54470 MB offset 122865120
18:18:33.079    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS        54470 MB offset 122865183
18:18:33.094    Disk 0 scanning sectors +234420480
18:18:33.204    Disk 0 scanning C:\Windows\system32\drivers
18:18:43.954    Service scanning
18:19:06.329    Modules scanning
18:19:06.329    Disk 0 trace - called modules:
18:19:06.344    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll amdide.sys
18:19:06.344    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85244138]
18:19:06.344    3 CLASSPNP.SYS[86fb059e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85169908]
18:19:08.125    AVAST engine scan C:\Windows
18:19:09.672    AVAST engine scan C:\Windows\system32
18:21:28.125    AVAST engine scan C:\Windows\system32\drivers
18:21:41.469    AVAST engine scan C:\Users\diana
18:24:27.063    AVAST engine scan C:\ProgramData
18:25:49.641    Disk 0 statistics 2146661/0/0 @ 3.84 MB/s
18:25:49.657    Scan finished successfully
18:26:29.922    Disk 0 MBR has been saved successfully to "C:\Users\diana\Desktop\MBR.dat"
18:26:29.938    The log file has been saved successfully to "C:\Users\diana\Desktop\aswMBR.txt"


JunkWare Removal Tool log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 7 Ultimate x86
Ran by diana on Mon 12/15/2014 at 19:39:44.45
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services


~~~ Registry Values


~~~ Registry Keys


~~~ Files


~~~ Folders


~~~ FireFox

Emptied folder: C:\Users\diana\AppData\Roaming\mozilla\firefox\profiles\o4etf1a5.default\minidumps [13 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 12/15/2014 at 19:45:44.06
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I also noticed that on   C:\Users\diana\AppData\     there is a user account that says there is an unknown user/account that starts with S-1-5-21 ..... ... and ends with 1001. I really don't know what that is about. It was not there before.
 

 

HijackThis scan log:
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 10:21:43 PM, on 12/15/2014
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)

FIREFOX: 34.0.5 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\diana\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 4169 bytes

 

HijackThis:  For some reason system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may not be able to fix this.
C:\Windows\System32\etc\hosts

I used Zeroaccess Trojan removal tool from AVG and it found two infected files that it deleted:
C:\Windows\system32\pxcpyi64.exe
C\windows\system32\pxinsi64.exe

However, all the other above reports remain unchanged.

 

 

Security Check scan log:

 Results of screen317's Security Check version 0.99.93  
 Windows 7  x86 (UAC is enabled)  
 Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 CCleaner     
 Adobe Flash Player     16.0.0.235  
 Adobe Reader XI  
 Mozilla Firefox (34.0.5)
 Google Chrome (39.0.2171.71)
 Google Chrome (39.0.2171.95)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````


Edited by Lorelai001, 15 December 2014 - 04:17 PM.


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:44 PM

Posted 17 December 2014 - 05:48 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

This look like a false positive:

 

Win32Evo-gen[susp]
SVC:Bonjour Service>
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Bonjour\mdnsNSP.dll

 

The program is legit and comes with QuickTime, Adobe and other applications.

RogueKiller and FRST logs are both clean.

I didn't notice any malware in the aswmbr log as well! I don't know where you saw that:

 

I also ran aswMBR and it apparently detected a Rootkit.TDSS.v2 / ZeroAccess Rootkit

 

I also noticed that on   C:\Users\diana\AppData\     there is a user account that says there is an unknown user/account that starts with S-1-5-21 ..... ... and ends with 1001. I really don't know what that is about. It was not there before.

 

I didn't notice other user accounts in your system:

 

Administrator (S-1-5-21-1551030260-678294276-1226032098-500 - Administrator - Disabled)
diana (S-1-5-21-1551030260-678294276-1226032098-1000 - Administrator - Enabled) => C:\Users\diana
Guest (S-1-5-21-1551030260-678294276-1226032098-501 - Limited - Disabled)

 

The accounts folders are created here: C:\Users

 

and not in C:\Users\diana or C:\Users\diana\AppData...

 

The folder was last accessed or modified a month ago:
 

 

2014-11-20 11:47 - 2014-11-05 12:16 - 00000000 ____D () C:\Users\diana

 

I used Zeroaccess Trojan removal tool from AVG and it found two infected files that it deleted:
C:\Windows\system32\pxcpyi64.exe
C\windows\system32\pxinsi64.exe

 

This look like false positives as well:

 

http://www.herdprotect.com/pxinsi64.exe-dd032f719e866e48579b7ea0403d54274aa5c6ac.aspx

http://www.herdprotect.com/pxcpyi64.exe-5c9c31e1fb9a03cf623e133fccb5d30fbe46f570.aspx

 

HijackThis:  For some reason system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may not be able to fix this.
C:\Windows\System32\etc\hosts

 

Run Hosts-perm.bat to reset the permissions of the file.

 

Your system look malware free but there are other errors requiring your attention:

 

System errors:
=============
Error: (12/12/2014 01:53:53 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 192.168.1.3 with the system
having network hardware address 00-19-7E-47-DC-F6. Network operations on this system may
be disrupted as a result.

 

This occurs when two computers on the same LAN network end up with the same IP address.

 

Error: (12/12/2014 05:19:07 AM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.

 

You may need to update your BIOS or to avoid the problem be sure to shut down the system instead of putting the computer to sleep.

 

Error: (12/12/2014 05:14:25 AM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

 

I would run a chkdsk to scan for bad sectors:

 

Run CHKDSK to check for disk errors

  • Click Start => go to RUN and type in cmd and then hit Enter.
  • At the command prompt, copy and paste the following command chkdsk c: /x /f /r and then press Enter.
  • If you are prompted to schedule CHKDSK to run the next time the computer restarts (because CHKDSK may be unable to gain exclusive access to the drive under Windows), type the following text y, and then press Enter.
  • At the command prompt, type exit and then press Enter.
  • Restart your computer. While Windows is loading, CHKDSK should automatically run and check the drive that you specified earlier.
    This process can take up to an hour!
  • When all is one and you are back into normal mode click Start => Run and type in eventvwr.msc and then hit Enter.
  • Once Event Viewer is open, select Windows logs => Application  => The 3th column of information in the right-hand pane is titled Source, click on the word Source at the top of the column to sort by that column.
  • Scroll through the Source column to find the most recent entry titled WinInit and id of 1001.
  • Double-click WinInit to open the CHKDSK results.
  • Click on the Copy button and post the result in your next reply.
Error: (12/10/2014 10:00:59 PM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

 

You may need to increase the space allocated for System Restore:

 

https://social.technet.microsoft.com/Forums/windows/en-US/09124e99-d6a3-46d5-bf01-188aefe2115c/shadow-copy-issue

 

http://blogs.technet.com/b/win7/archive/2011/02/16/restore-points-lost-after-system-rebooting.aspx

 

Windows 7  x86 (UAC is enabled)  
Out of date service pack!!

 

You should consider to install Service Pack 1 and all available updates:

 

Learn how to install Windows 7 Service Pack 1 (SP1)

 

 

 

Regards,

Georgi


cXfZ4wS.png


#4 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 17 December 2014 - 03:50 PM

Hello Georgi!
Thank you so much for answering, I was really nervous! I really have a fright about viruses and try to keep safe! This operating system was installed almost two months ago and I got some viruses when I installed uTorrent, so I uninstalled it immediately and scanned the system. Eset online scanner found something and it was deleted. I got alarmed at the false positive from AVAST about Bonjour Service recently. That was installed in the beginning, but AVAST did not detect it as suspicious. I ran numerous scans with different antivirus/antimalware and nothing. This until I ran aswMBR, Rogue Killer and HijackThis. I did not know what the results meant, so I googled them and wherever I clicked, it was talk about rootkits, ZeroAccess Trojan, RAMNIT.

I thought this actually meant a Master Boot Record infection:
Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

This lead me to many ZeroAcces Trojan forum discussions:
18:19:06.344    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll amdide.sys
18:19:06.344    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85244138]
18:19:06.344    3 CLASSPNP.SYS[86fb059e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85169908

And when I read about this, I googled ''Search Assistant'' and it said it was bad and I thought the same about the ProxyOverride

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

When it comes to accounts, I also see Diana and Guest in the User Accounts in control Panel. However, if I go to
C:\Users\Diana\AppData  and right-click inside folder >Properties>Security, under Groups and User Names I see Diana, Administrator, System and then Unknown Account(S-1-5-21-1551....)   -->As you can see in the uploaded Untitled.PNG, that has special permissions.
In certain other sections of C, if I do the same process, then I can see  Diana, Administrator, System, Everyone else, CREATOR OWNER
No, I have not created or deleted any Users.

http://s14.postimg.org/5pgb1o4gx/Untitled.jpg

In my search for a solution to ZeroAccess, I came across a youtube video, where before the Rogue Killer, the user used a tool, called PowerTool 4.5.0 (anti rootkit, bootkit, antivirus), which would supposedly point out the infection where the ZeroAccess is. It pointed similar files when it came to my computer. He also said some of those are fake (updates) and not signed.  And I found that for some Google Update and others.  (See attachment: Services not signed.jpg, Startup services not signed.jpg). I can't write the youtube link here, this site won't let me post. Those below ar screenshots of this program, just like in the video.

http://s27.postimg.org/8198di8pf/Services_not_signed.jpg
http://s9.postimg.org/57mj80e9b/Startup_services_not_signed.jpg

But what really worried me is the markings in red on a lot of my files (Attachment: Files Marked Red.jpg)
I did not know what the 26 bit size title copy of the images meant.
For example:
c26.tif
c.26tif:Zone.Identifier    (marked red, 26bit, Property ADS Stream)

http://s22.postimg.org/qn2o1cf9d/Files_marked_red.jpg

I read how even pictures can get infected and a virus can use those to transfer itself.
These are not just any pictures, but my work, as I work with images and they are essential in my job.
That was my biggest worry and I was so frightened I had no way to get rid of the virus and that it had attached to my work.
But, unlike in his video, Rogue Killer found with me the initial result I posted, and not pointing ''ZeroAccess'' at processes.

 

I read all sorts of gloomy scenarios, but I needed an opinion from a specialist, to clarify all this, that I thought to be a virus. To be infection free would really be the prettiest Christmas gift for me!


 


Edited by Lorelai001, 17 December 2014 - 04:24 PM.


#5 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 17 December 2014 - 04:09 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.


 


HijackThis:  For some reason system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may not be able to fix this.
C:\Windows\System32\etc\hosts

 

Run Hosts-perm.bat to reset the permissions of the file.

Earlier today, before this reply, I installed Spybot Search and Destroy and when I ran HijackThis again, I did not get that warning anymore. I ran Spybot in SafeMode with Networking and for some reason the mouse pointer started shivering badly on the screen, moving, then it stopped. When I put my hand on the mouse, the pointer would be dead and not move. When I restarted in Normal mode, it got back to normal.

 

 

Your system look malware free but there are other errors requiring your attention:

 

System errors:
=============
Error: (12/12/2014 01:53:53 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 192.168.1.3 with the system
having network hardware address 00-19-7E-47-DC-F6. Network operations on this system may
be disrupted as a result.

 

This occurs when two computers on the same LAN network end up with the same IP address.

I don't know what to do about this.

 

Error: (12/12/2014 05:19:07 AM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.

 

You may need to update your BIOS or to avoid the problem be sure to shut down the system instead of putting the computer to sleep.

Got that. Can BIOS be updated independently to Windows? I mean not having to reinstall Windows if BIOS is updated.

 

Error: (12/12/2014 05:14:25 AM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

 

I would run a chkdsk to scan for bad sectors:

 

Run CHKDSK to check for disk errors

  • Click Start => go to RUN and type in cmd and then hit Enter.
  • At the command prompt, copy and paste the following command chkdsk c: /x /f /r and then press Enter.
  • If you are prompted to schedule CHKDSK to run the next time the computer restarts (because CHKDSK may be unable to gain exclusive access to the drive under Windows), type the following text y, and then press Enter.
  • At the command prompt, type exit and then press Enter.
  • Restart your computer. While Windows is loading, CHKDSK should automatically run and check the drive that you specified earlier.
    This process can take up to an hour!
  • When all is one and you are back into normal mode click Start => Run and type in eventvwr.msc and then hit Enter.
  • Once Event Viewer is open, select Windows logs => Application  => The 3th column of information in the right-hand pane is titled Source, click on the word Source at the top of the column to sort by that column.
  • Scroll through the Source column to find the most recent entry titled WinInit and id of 1001.
  • Double-click WinInit to open the CHKDSK results.
  • Click on the Copy button and post the result in your next reply.
     
Error: (12/10/2014 10:00:59 PM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

 

You may need to increase the space allocated for System Restore:

 

https://social.technet.microsoft.com/Forums/windows/en-US/09124e99-d6a3-46d5-bf01-188aefe2115c/shadow-copy-issue

 

http://blogs.technet.com/b/win7/archive/2011/02/16/restore-points-lost-after-system-rebooting.aspx

 

Windows 7  x86 (UAC is enabled)  
Out of date service pack!!

 

You should consider to install Service Pack 1 and all available updates:

 

Learn how to install Windows 7 Service Pack 1 (SP1)

 

 

Regards,

Georgi

For the rest of the recommendations, I will post the rest of answers tomorrow, since now it's almost midnight (esp. since CHKDSK will take an hour almost). Again, thank you so so much!


Edited by Lorelai001, 17 December 2014 - 04:18 PM.


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:44 PM

Posted 17 December 2014 - 05:33 PM

Hello,

 

 

I got alarmed at the false positive from AVAST about Bonjour Service recently. That was installed in the beginning, but AVAST did not detect it as suspicious


This really doesn't matter. Avast detects it with a generic detection...Avast probably started to detect it after an engine update.

You can submit the file (or report the issue) so they can fix this in the next engine update:

http://www.avast.com/contact-form.php?subject=VIRUS-FILE

 

 

I ran numerous scans with different antivirus/antimalware and nothing. This until I ran aswMBR, Rogue Killer and HijackThis. I did not know what the results meant, so I googled them and wherever I clicked, it was talk about rootkits, ZeroAccess Trojan, RAMNIT.


It's not safe to run powerful tools like aswMBR, RogueKiller, TDSSKiller, Combofix, etc. without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

These tools are effective in the right hands so if you prefer to attempt to clean the computer yourself in the future then I strongly advise you to back up the registry before beginning them in case you delete or change legitimate files, folders, registry entries or settings by mistake.

If you wish to learn how to fight malware and deal with different issues properly then I suggest you check the malware removal training programs:

http://www.bleepingcomputer.com/forums/t/532535/malware-removal-training-program/

http://www.techsupportforum.com/forums/f50/please-read-before-applying-to-join-the-academy-294775.html

http://www.geekstogo.com/geeku/

http://www.spywareinfoforum.com/topic/34-the-boot-camp-here-anti-malware-training/

The learning process of fighting malware this will help you to improve your general knowledge about computers in all areas and you will understand how Windows works and how to make the best use of the features available.


 

When it comes to accounts, I also see Diana and Guest in the User Accounts in control Panel. However, if I go to
C:\Users\Diana\AppData  and right-click inside folder >Properties>Security, under Groups and User Names I see Diana, Administrator, System and then Unknown Account(S-1-5-21-1551....)   -->As you can see in the uploaded Untitled.PNG, that has special permissions.
In certain other sections of C, if I do the same process, then I can see  Diana, Administrator, System, Everyone else, CREATOR OWNER
No, I have not created or deleted any Users.


This is probably a leftover security setting that belongs to an account that has been deleted recently and that's why Windows is not able to retrieve the account info and show it as unknown instead. Probably nothing to worry about here.


 

In my search for a solution to ZeroAccess, I came across a youtube video, where before the Rogue Killer, the user used a tool, called PowerTool 4.5.0 (anti rootkit, bootkit, antivirus), which would supposedly point out the infection where the ZeroAccess is. It pointed similar files when it came to my computer. He also said some of those are fake (updates) and not signed. And I found that for some Google Update and others.  (See attachment: Services not signed.jpg, Startup services not signed.jpg).



PowerTool is an anti-rootkit utility for advanced users and trained experts. Unsigned files are not necessarily indicative of malware and also there are a large number of malware files which are digitally signed with trusted certificates...So a trained eye is needed to catch the offending code.


 

But what really worried me is the markings in red on a lot of my files (Attachment: Files Marked Red.jpg)
I did not now what the 26 bit size title copy of the images meant.
For example:
c26.tif
c.26tif:Zone.Identifier    (marked red, 26bit, Property ADS Stream)


Zone.Identifier are added by Internet Explorer and other browsers to mark files downloaded from internet as possibly unsafe to run. A user confirmation will be required before opening them. They are usually safe. Also 26 bit of size is too small to be malicious.

 

ZXNmeJ0.jpg

 

ihhQFWy.jpg

 

You can find more information here.

Hope that helps! :)

 

 

 

Regards,

Georgi


cXfZ4wS.png


#7 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 18 December 2014 - 01:32 PM


Error: (12/12/2014 05:14:25 AM) (Source: Disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

 

I would run a chkdsk to scan for bad sectors:

 

Run CHKDSK to check for disk errors

  • Click Start => go to RUN and type in cmd and then hit Enter.
  • At the command prompt, copy and paste the following command chkdsk c: /x /f /r and then press Enter.
  • If you are prompted to schedule CHKDSK to run the next time the computer restarts (because CHKDSK may be unable to gain exclusive access to the drive under Windows), type the following text y, and then press Enter.
  • At the command prompt, type exit and then press Enter.
  • Restart your computer. While Windows is loading, CHKDSK should automatically run and check the drive that you specified earlier.
    This process can take up to an hour!
  • When all is one and you are back into normal mode click Start => Run and type in eventvwr.msc and then hit Enter.
  • Once Event Viewer is open, select Windows logs => Application  => The 3th column of information in the right-hand pane is titled Source, click on the word Source at the top of the column to sort by that column.
  • Scroll through the Source column to find the most recent entry titled WinInit and id of 1001.
  • Double-click WinInit to open the CHKDSK results.
  • Click on the Copy button and post the result in your next reply.

 

Regards,

Georgi

About the CHKDSK, I opened the cmd prompt and it did not let me run CHKDSK, so I opened it again as administrator. I copy-pasted chkdsk c: /x /f /r and did everything else, but when I restarted, nothing happened, and Windows just opened. So, I right clicked on C:/ and Tool and opted to run CHKDSK but I did not check the second line from there, the scan for and attempt recovery for bad sectors.
I opened the Event Viewer and selected Windows Logs - Application
Thank you as well for the links where I can learn more about everything!  :)
Please let me know if I have to check the second option and run CHKDSK again.

CHKDSK Results

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          12/18/2014 7:45:47 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      diana-PC
Description:


Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 3)...
  106240 file records processed.                                         

File verification completed.
  66 large file records processed.                                   

  0 bad file records processed.                                     

  2 EA records processed.                                           

  44 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 3)...
  135742 index entries processed.                                        

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 3)...
  106240 file SDs/SIDs processed.                                        

Cleaning up 142 unused index entries from index $SII of file 0x9.
Cleaning up 142 unused index entries from index $SDH of file 0x9.
Cleaning up 142 unused security descriptors.
Security descriptor verification completed.
  14752 data files processed.                                           

CHKDSK is verifying Usn Journal...
  35754672 USN bytes processed.                                            

Usn Journal verification completed.
Windows has checked the file system and found no problems.

  30612479 KB total disk space.
  17249708 KB in 90534 files.
     51184 KB in 14753 indexes.
         0 KB in bad sectors.
    208383 KB in use by the system.
     65536 KB occupied by the log file.
  13103204 KB available on disk.

      4096 bytes in each allocation unit.
   7653119 total allocation units on disk.
   3275801 allocation units available on disk.

Internal Info:
00 9f 01 00 52 9b 01 00 44 fc 02 00 00 00 00 00  ....R...D.......
f6 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00  ....,...........
38 8d 09 00 50 01 08 00 50 01 08 00 00 00 08 00  8...P...P.......

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-12-18T17:45:47.000000000Z" />
    <EventRecordID>3356</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>diana-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 3)...
  106240 file records processed.                                         

File verification completed.
  66 large file records processed.                                   

  0 bad file records processed.                                     

  2 EA records processed.                                           

  44 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 3)...
  135742 index entries processed.                                        

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 3)...
  106240 file SDs/SIDs processed.                                        

Cleaning up 142 unused index entries from index $SII of file 0x9.
Cleaning up 142 unused index entries from index $SDH of file 0x9.
Cleaning up 142 unused security descriptors.
Security descriptor verification completed.
  14752 data files processed.                                           

CHKDSK is verifying Usn Journal...
  35754672 USN bytes processed.                                            

Usn Journal verification completed.
Windows has checked the file system and found no problems.

  30612479 KB total disk space.
  17249708 KB in 90534 files.
     51184 KB in 14753 indexes.
         0 KB in bad sectors.
    208383 KB in use by the system.
     65536 KB occupied by the log file.
  13103204 KB available on disk.

      4096 bytes in each allocation unit.
   7653119 total allocation units on disk.
   3275801 allocation units available on disk.

Internal Info:
00 9f 01 00 52 9b 01 00 44 fc 02 00 00 00 00 00  ....R...D.......
f6 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00  ....,...........
38 8d 09 00 50 01 08 00 50 01 08 00 00 00 08 00  8...P...P.......

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>


Edited by Lorelai001, 18 December 2014 - 01:42 PM.


#8 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 18 December 2014 - 03:39 PM


Windows 7  x86 (UAC is enabled)  
Out of date service pack!!

 

You should consider to install Service Pack 1 and all available updates:

 

Learn how to install Windows 7 Service Pack 1 (SP1)

 

 

 

Regards,

Georgi

As for the Service Pack 1, I think that Windows only downloaded and installed the installer for that, but then nothing happened. All this took about 5 minutes. Could it be because I had selected that only updates I picked should be installed? Or because I had a tiny system restore space (275mb)?  Should I download it and install it personally from Microsoft site?
I increased the system restore, to 2.92GB. I hope that is sufficient.


Edited by Lorelai001, 18 December 2014 - 03:51 PM.


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:44 PM

Posted 18 December 2014 - 04:48 PM

Hi,

 

Please re-run CHKDSK but this time please check both options.

Service Pack 1 should be available through Windows Update. Be sure to install all of the availabe updates. it's important to keep your Windows updated since you have a better chance of closing the security holes. You can always download and burn the iso yourself and install it manually if needed. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#10 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 19 December 2014 - 01:02 PM

Hi,

 

Please re-run CHKDSK but this time please check both options.

Service Pack 1 should be available through Windows Update. Be sure to install all of the availabe updates. it's important to keep your Windows updated since you have a better chance of closing the security holes. You can always download and burn the iso yourself and install it manually if needed. :)

 

 

Regards,

Georgi

I think the problem for updating to Service Pack 1 was the lack of space for system restore. Once I increased that and restarted, then the pack got downloaded and installed

CHKDSK  Log Results

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          12/19/2014 6:41:29 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      diana-PC
Description:


Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 5)...
  180992 file records processed.                                         

File verification completed.
  246 large file records processed.                                   

  0 bad file records processed.                                     

  2 EA records processed.                                           

  44 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 5)...
  222284 index entries processed.                                        

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 5)...
  180992 file SDs/SIDs processed.                                        

Cleaning up 93 unused index entries from index $SII of file 0x9.
Cleaning up 93 unused index entries from index $SDH of file 0x9.
Cleaning up 93 unused security descriptors.
Security descriptor verification completed.
  20647 data files processed.                                           

CHKDSK is verifying Usn Journal...
  35676520 USN bytes processed.                                            

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  180976 files processed.                                                

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  1780416 free clusters processed.                                        

Free space verification is complete.
Adding 1 bad clusters to the Bad Clusters File.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

  30612479 KB total disk space.
  23109048 KB in 152386 files.
     97780 KB in 20648 indexes.
         4 KB in bad sectors.
    283983 KB in use by the system.
     65536 KB occupied by the log file.
   7121664 KB available on disk.

      4096 bytes in each allocation unit.
   7653119 total allocation units on disk.
   1780416 allocation units available on disk.

Internal Info:
00 c3 02 00 f5 a3 02 00 6a 0c 05 00 00 00 00 00  ........j.......
f7 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00  ....,...........
20 8c 32 00 50 01 31 00 50 01 31 00 00 00 31 00   .2.P.1.P.1...1.

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-12-19T16:41:29.000000000Z" />
    <EventRecordID>3917</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>diana-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 5)...
  180992 file records processed.                                         

File verification completed.
  246 large file records processed.                                   

  0 bad file records processed.                                     

  2 EA records processed.                                           

  44 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 5)...
  222284 index entries processed.                                        

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 5)...
  180992 file SDs/SIDs processed.                                        

Cleaning up 93 unused index entries from index $SII of file 0x9.
Cleaning up 93 unused index entries from index $SDH of file 0x9.
Cleaning up 93 unused security descriptors.
Security descriptor verification completed.
  20647 data files processed.                                           

CHKDSK is verifying Usn Journal...
  35676520 USN bytes processed.                                            

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  180976 files processed.                                                

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  1780416 free clusters processed.                                        

Free space verification is complete.
Adding 1 bad clusters to the Bad Clusters File.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

  30612479 KB total disk space.
  23109048 KB in 152386 files.
     97780 KB in 20648 indexes.
         4 KB in bad sectors.
    283983 KB in use by the system.
     65536 KB occupied by the log file.
   7121664 KB available on disk.

      4096 bytes in each allocation unit.
   7653119 total allocation units on disk.
   1780416 allocation units available on disk.

Internal Info:
00 c3 02 00 f5 a3 02 00 6a 0c 05 00 00 00 00 00  ........j.......
f7 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00  ....,...........
20 8c 32 00 50 01 31 00 50 01 31 00 00 00 31 00   .2.P.1.P.1...1.

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>


Issue with 403 FORBIDDEN

One thing I forgot to mention was that for some reason I have access forbidden to the site names spywarehammer dot com. I can access the site and forum from my phone. I tried to access the forum before I started a topic here and also checked today again and this is what I got:
 

Forbidden

You don't have permission to access /simplemachinesforum/index.php on this server.

Apache Server at spywarehammer.com Port 80

I just want to check if this is something I should pay attention to or not. I opened the hosts folder  C:/Windows/System32/Drivers/etc and I did not see any unusual looking file, by googling for comparison. I have a hosts file, and a backup for hosts file. The hosts file is made by Spybot and the in the back-up it is mentioned that Rogue Killer reset it. In the hosts file of Spybot there were hundreds of addresses, while none in the Rogue Killer backup.
I did not do any operations with Rogue Killer, except the scan posted and the beginning of this thread and resetting the hosts file, prior to installing Spybot.
I also want to mention that the first Hosts file scan was with HijackThis, and the program was denied access to it. I got a prompt at the beginning of the analysis about it. This prompt did not appear anymore after I ran RogueKiller fix for host file and had Spybot change the host file.
 


Edited by Lorelai001, 19 December 2014 - 01:06 PM.


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:44 PM

Posted 21 December 2014 - 11:57 AM

Hello,

 

I think the problem for updating to Service Pack 1 was the lack of space for system restore. Once I increased that and restarted, then the pack got downloaded and installed

 

Good to know that! :thumbup2:

 

Unfortunately you have bad sectors on the drive:

 

         4 KB in bad sectors.

 

A few bad sectors on a hard drive is really not much of a concern. Chkdsk marked them out so the OS will not use them. They don't get fixed, they just don't get used. I recommend you to backup your important files to an external HDD. I recommend checking the drive state often and if you notice that the number of bad sectors is increasing, you should start looking for a new hard drive. Any count of bad sectors over zero means a defective disk, which could fail soon...

 

Issue with 403 FORBIDDEN

One thing I forgot to mention was that for some reason I have access forbidden to the site names spywarehammer dot com. I can access the site and forum from my phone. I tried to access the forum before I started a topic here and also checked today again and this is what I got:
 

Forbidden

You don't have permission to access /simplemachinesforum/index.php on this server.

Apache Server at spywarehammer.com Port 80

 

Let's give Combofix a try:

 

  • Now please download Combofix from here.
     
  • Save it to your Desktop.
     
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
     
  • Double click it & follow the prompts.
     
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
     
  • Click on Yes, to continue scanning for malware.
     
  • When finished, it will produce a log for you.
     
  • Please include the C:\ComboFix.txt in your next reply.
     
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

 

Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 21 December 2014 - 11:58 AM.

cXfZ4wS.png


#12 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 22 December 2014 - 01:17 PM

Hello,

 

Unfortunately you have bad sectors on the drive:

 

         4 KB in bad sectors.

 

A few bad sectors on a hard drive is really not much of a concern. Chkdsk marked them out so the OS will not use them. They don't get fixed, they just don't get used. I recommend you to backup your important files to an external HDD. I recommend checking the drive state often and if you notice that the number of bad sectors is increasing, you should start looking for a new hard drive. Any count of bad sectors over zero means a defective disk, which could fail soon...

 

Issue with 403 FORBIDDEN

One thing I forgot to mention was that for some reason I have access forbidden to the site names spywarehammer dot com. I can access the site and forum from my phone. I tried to access the forum before I started a topic here and also checked today again and this is what I got:
 

Forbidden

You don't have permission to access /simplemachinesforum/index.php on this server.

Apache Server at spywarehammer.com Port 80

 

Let's give Combofix a try.

  • Please include the C:\ComboFix.txt in your next reply.

 

 

Regards,

Georgi

Hello Georgi!
I ran Combofix. It took a long time. I disabled Spybot and Avast. Unfortunately I did not realize I had not disabled Windows Defender. Only when I looked at the Combofix Log I noticed that. I saw some files in the quarantine log, that I will also post down below, after the Log. Also, I  disabled Avast for 10 minutes, then 1 hour, and when I noticed Combofix was not making progress, I checked Avast and it had activated after the 10 minutes, as it did not take into consideration my other selection, so again, I disabled it for an hour and it worked.

This is the log:

ComboFix 14-12-14.01 - diana 12/22/2014  19:37:27.1.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.894.223 [GMT 2:00]
Running from: c:\users\diana\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\diana\AppData\Roaming\System.Data.SQLite.DLL
.
.
(((((((((((((((((((((((((   Files Created from 2014-11-22 to 2014-12-22  )))))))))))))))))))))))))))))))
.
.
2014-12-22 17:56 . 2014-12-22 17:56    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-12-21 09:51 . 2014-12-21 09:51    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{640BE162-78A9-4A62-9534-7526705CDFA0}\offreg.dll
2014-12-21 08:36 . 2014-12-13 03:33    115712    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-12-20 02:30 . 2014-11-22 01:48    667648    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-12-20 02:30 . 2013-12-24 23:09    1987584    ----a-w-    c:\windows\system32\d3d10warp.dll
2014-12-20 02:30 . 2013-11-26 08:16    3419136    ----a-w-    c:\windows\system32\d2d1.dll
2014-12-19 16:51 . 2014-11-11 02:44    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-12-19 10:47 . 2014-03-09 21:47    99480    ----a-w-    c:\windows\system32\infocardapi.dll
2014-12-19 10:47 . 2014-06-30 22:14    8856    ----a-w-    c:\windows\system32\icardres.dll
2014-12-19 10:46 . 2014-03-09 21:47    619672    ----a-w-    c:\windows\system32\icardagt.exe
2014-12-19 10:46 . 2014-06-06 06:16    35480    ----a-w-    c:\windows\system32\TsWpfWrp.exe
2014-12-19 10:44 . 2012-03-01 05:46    19824    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2014-12-19 10:44 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\system32\wmi.dll
2014-12-19 10:05 . 2014-12-19 10:05    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-12-19 10:03 . 2014-12-19 10:03    69632    ----a-w-    c:\windows\system32\smss.exe
2014-12-19 10:03 . 2014-12-19 10:03    640512    ----a-w-    c:\windows\system32\advapi32.dll
2014-12-19 10:03 . 2014-12-19 10:03    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2014-12-19 10:03 . 2014-12-19 10:03    619520    ----a-w-    c:\windows\system32\tdh.dll
2014-12-19 10:03 . 2014-12-19 10:03    38912    ----a-w-    c:\windows\system32\csrsrv.dll
2014-12-19 10:02 . 2014-12-19 10:02    231424    ----a-w-    c:\windows\system32\mswsock.dll
2014-12-19 10:02 . 2014-12-19 10:02    49152    ----a-w-    c:\windows\system32\taskhost.exe
2014-12-19 09:54 . 2014-12-19 09:54    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2014-12-19 09:44 . 2013-04-26 04:55    492544    ----a-w-    c:\windows\system32\win32spl.dll
2014-12-19 09:44 . 2013-02-12 03:32    15872    ----a-w-    c:\windows\system32\drivers\usb8023.sys
2014-12-19 09:44 . 2013-07-09 04:52    175104    ----a-w-    c:\windows\system32\wintrust.dll
2014-12-19 09:43 . 2011-03-03 05:38    132608    ----a-w-    c:\windows\system32\dnsrslvr.dll
2014-12-19 09:43 . 2011-03-03 05:36    28672    ----a-w-    c:\windows\system32\dnscacheugc.exe
2014-12-19 09:41 . 2014-07-17 01:02    31232    ----a-w-    c:\windows\system32\drivers\tssecsrv.sys
2014-12-19 09:41 . 2013-02-15 03:25    36864    ----a-w-    c:\windows\system32\tsgqec.dll
2014-12-19 09:41 . 2014-03-04 09:20    3969984    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2014-12-19 09:41 . 2014-03-04 09:20    3914176    ----a-w-    c:\windows\system32\ntoskrnl.exe
2014-12-19 09:41 . 2014-03-04 09:17    293376    ----a-w-    c:\windows\system32\KernelBase.dll
2014-12-19 09:41 . 2014-03-04 09:17    538112    ----a-w-    c:\windows\system32\objsel.dll
2014-12-19 09:41 . 2014-03-04 09:17    35328    ----a-w-    c:\windows\system32\wincredprovider.dll
2014-12-19 09:41 . 2014-03-04 09:17    47616    ----a-w-    c:\windows\system32\dpapiprovider.dll
2014-12-19 09:41 . 2014-03-04 09:17    36864    ----a-w-    c:\windows\system32\dimsroam.dll
2014-12-19 09:41 . 2014-03-04 09:17    51200    ----a-w-    c:\windows\system32\cngprovider.dll
2014-12-19 09:41 . 2014-03-04 09:17    48128    ----a-w-    c:\windows\system32\capiprovider.dll
2014-12-19 09:41 . 2014-03-04 09:17    49664    ----a-w-    c:\windows\system32\adprovider.dll
2014-12-19 09:39 . 2012-06-06 05:05    1019904    ----a-w-    c:\program files\Common Files\System\ado\msado15.dll
2014-12-19 09:39 . 2012-06-06 05:03    805376    ----a-w-    c:\windows\system32\cdosys.dll
2014-12-19 09:39 . 2012-06-06 05:05    57344    ----a-w-    c:\program files\Common Files\System\ado\msador15.dll
2014-12-19 09:39 . 2012-06-06 05:05    352256    ----a-w-    c:\program files\Common Files\System\ado\msadomd.dll
2014-12-19 09:39 . 2012-06-06 05:05    212992    ----a-w-    c:\program files\Common Files\System\msadc\msadco.dll
2014-12-19 09:39 . 2012-06-06 05:05    143360    ----a-w-    c:\program files\Common Files\System\ado\msjro.dll
2014-12-19 09:39 . 2012-06-06 05:05    372736    ----a-w-    c:\program files\Common Files\System\ado\msadox.dll
2014-12-19 09:38 . 2013-06-06 04:50    10240    ----a-w-    c:\windows\system32\dciman32.dll
2014-12-19 09:38 . 2013-06-06 03:01    295424    ----a-w-    c:\windows\system32\atmfd.dll
2014-12-19 09:38 . 2013-06-06 04:52    26112    ----a-w-    c:\windows\system32\lpk.dll
2014-12-19 09:38 . 2013-06-06 04:51    70656    ----a-w-    c:\windows\system32\fontsub.dll
2014-12-19 09:38 . 2013-06-06 03:01    34304    ----a-w-    c:\windows\system32\atmlib.dll
2014-12-19 09:38 . 2014-09-19 09:23    248832    ----a-w-    c:\windows\system32\schannel.dll
2014-12-19 09:38 . 2014-09-19 09:23    259584    ----a-w-    c:\windows\system32\msv1_0.dll
2014-12-19 09:38 . 2014-09-19 09:23    172032    ----a-w-    c:\windows\system32\wdigest.dll
2014-12-19 09:38 . 2014-09-19 09:23    65536    ----a-w-    c:\windows\system32\TSpkg.dll
2014-12-19 09:38 . 2014-09-19 09:23    221184    ----a-w-    c:\windows\system32\ncrypt.dll
2014-12-19 09:38 . 2014-09-19 09:23    17408    ----a-w-    c:\windows\system32\credssp.dll
2014-12-19 09:34 . 2012-07-04 21:14    41984    ----a-w-    c:\windows\system32\browcli.dll
2014-12-19 09:34 . 2013-10-04 01:49    81408    ----a-w-    c:\windows\system32\drivers\drmk.sys
2014-12-19 09:34 . 2013-10-04 01:17    177152    ----a-w-    c:\windows\system32\drivers\portcls.sys
2014-12-19 09:33 . 2011-05-24 10:44    293376    ----a-w-    c:\windows\system32\umpnpmgr.dll
2014-12-19 09:33 . 2014-06-16 01:44    730048    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2014-12-19 09:33 . 2014-06-16 01:44    219072    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2014-12-19 09:33 . 2014-06-16 01:40    107520    ----a-w-    c:\windows\system32\cdd.dll
2014-12-19 09:33 . 2013-10-12 02:01    679424    ----a-w-    c:\windows\system32\IKEEXT.DLL
2014-12-19 09:33 . 2013-10-12 02:01    216576    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
2014-12-19 09:33 . 2013-10-12 02:03    656896    ----a-w-    c:\windows\system32\nshwfp.dll
2014-12-19 09:33 . 2012-11-02 05:11    376832    ----a-w-    c:\windows\system32\dpnet.dll
2014-12-19 09:33 . 2013-07-25 08:57    1620992    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2014-12-19 09:33 . 2011-02-12 05:35    191488    ----a-w-    c:\windows\system32\FXSCOVER.exe
2014-12-19 09:33 . 2014-11-11 02:44    550912    ----a-w-    c:\windows\system32\kerberos.dll
2014-12-19 09:33 . 2014-11-11 02:44    186880    ----a-w-    c:\windows\system32\pku2u.dll
2014-12-19 09:32 . 2012-03-17 07:27    56176    ----a-w-    c:\windows\system32\drivers\partmgr.sys
2014-12-19 09:32 . 2014-05-30 06:36    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2014-12-19 09:32 . 2013-07-20 10:33    102608    ----a-w-    c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2014-12-19 09:32 . 2014-06-03 09:30    101824    ----a-w-    c:\windows\system32\consent.exe
2014-12-19 09:32 . 2014-06-03 09:29    2363392    ----a-w-    c:\windows\system32\msi.dll
2014-12-19 09:32 . 2014-06-03 09:29    1805824    ----a-w-    c:\windows\system32\authui.dll
2014-12-19 09:32 . 2014-06-03 09:29    337408    ----a-w-    c:\windows\system32\msihnd.dll
2014-12-19 09:32 . 2014-10-25 01:32    67584    ----a-w-    c:\windows\system32\packager.dll
2014-12-19 09:32 . 2014-10-10 00:45    2379264    ----a-w-    c:\windows\system32\win32k.sys
2014-12-19 09:32 . 2014-08-21 06:26    1237504    ----a-w-    c:\windows\system32\msxml3.dll
2014-12-19 09:32 . 2014-08-21 06:23    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2014-12-19 09:31 . 2013-05-13 03:08    903168    ----a-w-    c:\windows\system32\certutil.exe
2014-12-19 09:31 . 2013-05-13 03:08    43008    ----a-w-    c:\windows\system32\certenc.dll
2014-12-19 09:30 . 2011-10-01 04:37    708608    ----a-w-    c:\program files\Common Files\System\wab32.dll
2014-12-19 09:30 . 2014-06-06 09:44    509440    ----a-w-    c:\windows\system32\qedit.dll
2014-12-19 09:29 . 2010-12-23 05:54    642048    ----a-w-    c:\windows\system32\CPFilters.dll
2014-12-19 09:29 . 2010-12-23 05:54    850944    ----a-w-    c:\windows\system32\sbe.dll
2014-12-19 09:29 . 2010-12-23 05:50    199680    ----a-w-    c:\windows\system32\mpg2splt.ax
2014-12-19 09:29 . 2014-06-18 22:23    156824    ----a-w-    c:\windows\system32\mscorier.dll
2014-12-19 09:29 . 2014-06-18 22:23    1131664    ----a-w-    c:\windows\system32\dfshim.dll
2014-12-19 09:29 . 2014-06-18 22:23    81560    ----a-w-    c:\windows\system32\mscories.dll
2014-12-19 09:29 . 2011-08-17 04:19    75776    ----a-w-    c:\windows\system32\psisrndr.ax
2014-12-19 09:29 . 2011-08-17 04:24    465408    ----a-w-    c:\windows\system32\psisdecd.dll
2014-12-19 09:27 . 2013-10-05 19:57    1168384    ----a-w-    c:\windows\system32\crypt32.dll
2014-12-19 09:27 . 2013-07-09 04:46    140288    ----a-w-    c:\windows\system32\cryptsvc.dll
2014-12-19 09:27 . 2013-07-09 04:46    103936    ----a-w-    c:\windows\system32\cryptnet.dll
2014-12-19 09:27 . 2011-12-16 07:52    690688    ----a-w-    c:\windows\system32\msvcrt.dll
2014-12-19 09:27 . 2012-09-25 22:47    78336    ----a-w-    c:\windows\system32\synceng.dll
2014-12-19 08:55 . 2013-07-12 10:08    146816    ----a-w-    c:\windows\system32\drivers\usbvideo.sys
2014-12-19 08:55 . 2013-07-12 10:07    86016    ----a-w-    c:\windows\system32\drivers\usbcir.sys
2014-12-19 08:55 . 2013-07-12 10:07    80896    ----a-w-    c:\windows\system32\drivers\USBAUDIO.sys
2014-12-19 08:51 . 2011-03-11 05:33    1137664    ----a-w-    c:\windows\system32\mfc42.dll
2014-12-19 08:51 . 2011-03-11 05:33    1164288    ----a-w-    c:\windows\system32\mfc42u.dll
2014-12-19 08:48 . 2014-10-14 01:50    1059840    ----a-w-    c:\windows\system32\lsasrv.dll
2014-12-19 08:47 . 2011-02-23 04:47    69632    ----a-w-    c:\windows\system32\drivers\bowser.sys
2014-12-19 08:47 . 2014-04-25 02:06    626688    ----a-w-    c:\windows\system32\usp10.dll
2014-12-19 08:47 . 2013-02-27 04:49    47104    ----a-w-    c:\windows\system32\appinfo.dll
2014-12-19 08:31 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2014-12-19 08:31 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2014-12-19 08:30 . 2014-12-15 02:13    9054624    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{640BE162-78A9-4A62-9534-7526705CDFA0}\mpengine.dll
2014-12-19 07:57 . 2014-05-14 16:23    45536    ----a-w-    c:\windows\system32\wups2.dll
2014-12-19 07:57 . 2014-05-14 16:23    54240    ----a-w-    c:\windows\system32\wuauclt.exe
2014-12-19 07:57 . 2014-05-14 16:17    2425856    ----a-w-    c:\windows\system32\wucltux.dll
2014-12-19 07:57 . 2014-05-14 16:23    1973728    ----a-w-    c:\windows\system32\wuaueng.dll
2014-12-19 07:56 . 2014-05-14 16:23    36320    ----a-w-    c:\windows\system32\wups.dll
2014-12-19 07:56 . 2014-05-14 16:23    581600    ----a-w-    c:\windows\system32\wuapi.dll
2014-12-19 07:56 . 2014-05-14 16:17    92672    ----a-w-    c:\windows\system32\wudriver.dll
2014-12-19 07:55 . 2014-05-14 07:23    179656    ----a-w-    c:\windows\system32\wuwebv.dll
2014-12-19 07:55 . 2014-05-14 07:17    33792    ----a-w-    c:\windows\system32\wuapp.exe
2014-12-18 21:47 . 2014-12-18 21:47    --------    d-----w-    c:\windows\system32\SPReview
2014-12-18 21:46 . 2014-12-18 21:46    --------    d-----w-    c:\windows\system32\EventProviders
2014-12-18 21:41 . 2010-11-20 12:17    280576    ----a-w-    c:\windows\system32\spreview.exe
2014-12-18 21:40 . 2010-11-20 12:21    134656    ----a-w-    c:\windows\system32\WinSCard.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-18 21:55 . 2009-07-14 02:05    152576    ----a-w-    c:\windows\system32\msclmd.dll
2014-12-17 16:29 . 2014-11-09 11:45    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-15 15:48 . 2014-11-09 11:44    79576    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-14 22:19 . 2014-11-06 20:21    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-12-14 22:19 . 2014-11-06 20:20    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-06 13:14 . 2014-11-05 10:37    787800    ----a-w-    c:\windows\system32\drivers\aswsnx.sys
2014-12-06 13:14 . 2014-11-05 10:37    423784    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2014-12-06 13:14 . 2014-11-05 10:37    91496    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2014-12-06 13:14 . 2014-11-05 10:37    206248    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-12-06 13:14 . 2014-11-05 10:37    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-12-06 13:14 . 2014-11-05 10:37    81768    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2014-12-06 13:14 . 2014-11-05 10:37    70384    ----a-w-    c:\windows\system32\drivers\aswmonflt.sys
2014-12-06 13:14 . 2014-11-05 10:37    24184    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-11-24 12:04 . 2014-11-05 10:47    229000    ------w-    c:\windows\system32\MpSigStub.exe
2014-11-21 04:14 . 2014-11-09 11:44    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-11-21 04:14 . 2014-11-09 11:44    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-11-09 13:48 . 2014-11-09 13:48    20640    ------w-    c:\windows\system32\drivers\PxHelp20.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-12-06 13:14    723976    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-09-12 959176]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-12-12 5227112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2014-12-18 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2006-12-22 05:29    67752    ----a-w-    c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2011-01-13 02:01    6129496    ----a-w-    c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2014-06-24 08:42    4101576    ----a-w-    c:\program files\Spybot - Search & Destroy 2\SDTray.exe
.
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-12-06 91496]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2014-12-11 315496]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-12-19 102912]
R3 MFE_RR;MFE_RR;c:\users\diana\AppData\Local\Temp\mfe_rr.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-06-24 1738168]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-06-27 2088408]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-04-25 171928]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-12-06 787800]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-12-06 423784]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2014-07-22 142648]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-12-06 24184]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-12-06 70384]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-12-11 23:50    1087816    ----a-w-    c:\program files\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-06 22:19]
.
2014-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-11-05 10:31]
.
2014-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-11-05 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:21320
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: eset.com\www
Trusted Zone: eset.eu\www
TCP: DhcpNameServer = 192.168.1.1 0.0.0.0
FF - ProfilePath - c:\users\diana\AppData\Roaming\Mozilla\Firefox\Profiles\1bpbwhjr.default-1418675230098\
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-17016324.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-22  20:00:43
ComboFix-quarantined-files.txt  2014-12-22 18:00
.
Pre-Run: 7,732,080,640 bytes free
Post-Run: 7,621,246,976 bytes free
.
- - End Of File - - C135032970399A88E026D7DDA2153D33
A36C5E4F47E84449FF07ED3517B43A31


Combofix quarantine text file:
2014-12-22 17:59:28 . 2014-12-22 17:59:28              558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-17016324.sys.reg.dat
2014-12-22 17:59:26 . 2014-12-22 17:59:26              618 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Notify-SDWinLogon.reg.dat
2014-12-22 17:46:29 . 2014-12-22 17:46:30            5,080 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2014-12-22 17:37:25 . 2014-12-22 17:37:25              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2014-12-22 17:34:03 . 2014-12-22 17:37:27               82 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2014-12-14 22:57:46 . 2014-12-14 22:57:47          773,632 ----a-w-  C:\Qoobox\Quarantine\C\Users\diana\AppData\Roaming\System.Data.SQLite.DLL.vir


Do I need to save my data on an external hard drive? Is it safe to do that, and not getting the drive infected? I already plugged the external hard drive a couple weeks ago, to see if it's working, since it was new one, but I did not transfer any files.
I saw this in Quarantine: 
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr   . I don't know anything, except MBR is Master Boot Record. The data is very important to me. Also, can these files from qarantine be there because I did not realize windows defender was still on?

Update: I saved most of my important files on the external hard disk anyway. However, when I wanted to eject the HDD (safely remove), I would get a prompt it was in use by a program, but I was not doing anything on it. I got that prompt several minutes whenever I tried to safely remove, so I just pulled the cable anyway.
Combofix did not ask me to restart the computer.  I don't know if it's because I disabled Spybot or because of ComboFix, my computer's running faster now. But I stil did not dare to shut down the computer, since I saw the MBR file in qarantine. I really am not knowledgeable about this.

One thing I forgot to mention at the beginning of this thread was the slow internet with certain pages loading by half and some redirects to some polish car site when I wanted to type Google. Things got a little better after I fixed the hosts file with Rogue Killer, and I did not get anymore the prompts from HijackThis about not being able to access the hosts file. Spybot made a new hosts file and apparently healed some files. The latest scan is from Combofix though and I like the improvement in speed.
I am waiting though to find out what the log means. I hope everything will be fine...

I still get this with spywarehammer:

Forbidden

You don't have permission to access /simplemachinesforum/index.php on this server.

Apache Server at spywarehammer.com Port 80

Edited by Lorelai001, 23 December 2014 - 12:41 PM.


#13 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 23 December 2014 - 02:31 PM

I would also like to add, maybe it is useful for information, I and my younger brother share the same wireless. He is always downloading torrents, games, cracks, keygens, even if I repeatedly told him against this. Can this be a danger to my computer? I also have a cable connection from a company which I don't really use. Should I move on that?
The computer seems to be performing also faster after the Combofix scan.
I am providing all sort of details, hoping it will help. I am tremendously stressed out by this and hoping to get it all better soon.


Edited by Lorelai001, 24 December 2014 - 10:16 AM.


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:44 PM

Posted 24 December 2014 - 04:05 PM

Hello and Merry Christmas! xmastree6.gif

 

Thank you for the log. It's completely clean! :)

 

Did you set this setting?

 

uInternet Settings,ProxyServer = localhost:21320

 

 

Do I need to save my data on an external hard drive? Is it safe to do that, and not getting the drive infected? I already plugged the external hard drive a couple weeks ago, to see if it's working, since it was new one, but I did not transfer any files.

 

This is not needed since your computer looks clean. However, it's always a good idea to have a backup of your files just to be on the safe side. Before you plug your external hard drive you should do the following (just in case):

 

 

STEP 1

 

 

Please download and run the following tool and follow the prompts to disable Autorun on the computer to prevent spreading of the infections from USB flash drives.

 

 

STEP 2

 

 

Now open My Computer, right click on the flash drive's letter from the context menu and scan it with your installed and updated antivirus software without open the USB stick yet until the scan guarantee the flash drive is completely clean

 

 

STEP 3

 

 

Please download USBFix tool from here...make sure that your flash drive is still connected to the computer.

Run the tool and press the Vaccinate and wait for the process to complete. This will vaccinate all of the drives on the computer (including the flash drive) against autorun threats.

 

 

STEP 4

 

 

Next please download and install MCShield 3

Now plug-in your usb flash stick and wait to be scanned for malware remnants and repaired if needed.

A log file should appear when this is done. Please post the content of the log in your next reply.

 

 

I saw this in Quarantine: 
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr   . I don't know anything, except MBR is Master Boot Record. The data is very important to me. Also, can these files from qarantine be there because I did not realize windows defender was still on?

 

Yes, MBR is the Master Boot Record, but it's not deleted. Combofix make a copy of the MBR in the quarantine folder just in case.

 

 

Update: I saved most of my important files on the external hard disk anyway. However, when I wanted to eject the HDD (safely remove), I would get a prompt it was in use by a program, but I was not doing anything on it. I got that prompt several minutes whenever I tried to safely remove, so I just pulled the cable anyway.

 

...Please calm down and stop doing things on your own... This is a normal behavior. I encounter it a lot with my external devices. When the HDD is optimized for quick removal in the Device Manager then it's not needed to use the Sate removal procedure...

 

http://www.cnet.com/how-to/quickly-remove-usb-devices-without-using-safe-removal/

 

One thing I forgot to mention at the beginning of this thread was the slow internet with certain pages loading by half and some redirects to some polish car site when I wanted to type Google. Things got a little better after I fixed the hosts file with Rogue Killer, and I did not get anymore the prompts from HijackThis about not being able to access the hosts file. Spybot made a new hosts file and apparently healed some files. The latest scan is from Combofix though and I like the improvement in speed.
I am waiting though to find out what the log means. I hope everything will be fine...

 

Please download and run the attached file => [attachment=159639:internet.bat] and see if there is any difference after reboot.

 

As for the spywarehammer please let me know if you are able to open it via the link below:

 

SpywareHammer

 

I would also like to add, maybe it is useful for information, I and my younger brother share the same wireless. He is always downloading torrents, games, cracks, keygens, even if I repeatedly told him against this. Can this be a danger to my computer? I also have a cable connection from a company which I don't really use. Should I move on that?
The computer seems to be performing also faster after the Combofix scan.
I am providing all sort of details, hoping it will help. I am tremendously stressed out by this and hoping to get it all better soon.

 

Are the computers on the same network?

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 24 December 2014 - 04:05 PM.

cXfZ4wS.png


#15 Lorelai001

Lorelai001
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 25 December 2014 - 12:45 PM

Hello, Georgi!
A very Merry Christmas to you too!
Thank you for your reply and the effort you put into helping, I am realy grateful for that! :)

External HDD
I used all the tools you suggested, just like you said. I ran USBFix and I connected several devices, just like I was prompted by the program. I connected my External HDD, the USB stick, Kingston camera card, and Phone. I clicked vaccinate and then I ran a scan for everything.
This is the log from USBFix:

############################## | UsbFix V 7.807 | [Research]

User: diana (Administrator) # DIANA-PC
Updated 18/12/2014 by El Desaparecido - SosVirus
Started at 19:05:50 | 25/12/2014

Website : http://www.en.usbfix.net/
Changelog : http://www.en.usbfix.net/changelog/
Support : http://www.sosvirus.net/
Upload Malware : http://www.sosvirus.net/upload_malware.php
Live detection : http://how-to-remove.us/
Contact : http://www.en.usbfix.net/contact/

################## | System information |

MB: Dell Inc. (0UW744)
CPU: AMD Turion™ 64 X2 Mobile Technology TL-52
RAM -> [Total : 894 Mo | Free : 170 Mo]
Bios: Dell Inc.
Boot: Normal boot

OS: Microsoft™ Windows 7 Ultimate (6.1.7601 32-Bit) Service Pack 1
WB: Internet Explorer : 11.00.9600.16428
WB: Google Chrome : 39.0.2171.95
WB: Mozilla Firefox : 34.0.5

################## | Security Information |

AV: avast! Antivirus [(!) Disabled |Updated]
AS: Windows Defender [(!) Disabled |Updated]
AS: Spybot - Search and Destroy [(!) Disabled |Updated]
AS: avast! Antivirus [(!) Disabled |Updated]
AS: Malwarebytes Anti-Malware : 2.0.4.1028
FW: Windows Firewall [Enabled]
SC: Security Center [Enabled]
WU: Windows Update [Enabled]

################## | Disk Information |

C:\ (%SystemDrive%) -> Fixed disk # 29 Gb (6 Gb free - 22%) [] # NTFS
D:\ -> Fixed disk # 29 Gb (3 Gb free - 10%) [Diana Local Disk] # NTFS
E:\ -> Fixed disk # 53 Gb (8 Gb free - 15%) [Diana Local Disk] # NTFS
G:\ -> Fixed disk # 931 Gb (881 Gb free - 95%) [WD Elements] # NTFS
H:\ -> Removable disk # 7 Gb (6 Mb free - 0%) [Kingston] # FAT32
I:\ -> Removable disk # 8 Gb (7 Gb free - 100%) [ADATA UFD] # FAT32
J:\ -> Removable disk # 4 Gb (3 Gb free - 71%) [] # FAT32

################## | Regedit Run |

F2 - HKLM\..\Winlogon : [Shell] Explorer.exe
F2 - HKLM\..\Winlogon : [Userinit] C:\Windows\system32\userinit.exe,
04 - HKLM\..\Run : [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
04 - HKLM\..\Run : [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
04 - HKLM\..\Run : [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
04 - HKU\S-1-5-18\..\RunOnce : [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601

################## | Generic Research |

Found! D:\Thumbs.db

################## | Registry |


################## | UsbFix - Information |

Info : How to remove shortcut virus on flash disk (Video)
Info : Shortcut virus on flash disk, What is it ?
Live detection : http://how-to-remove.us/

################## | Hijack |

Hijacked! [RSHD] J:\predeftemp
Hijacked! [SHD] J:\nokia_unprocessed_images_
Hijacked! [ASH] J:\352854053588400WMLicense.dat
Hijacked! [AHD] J:\temp

################## | E.O.F | http://www.sosvirus.net/ | http://www.en.usbfix.net/ |



Then, I used McShield, this is the log:
>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2014.12.21.1 / Windows 7 <<<


12/25/2014 7:11:50 PM > Drive C: - scan started (no label ~29 GB, NTFS HDD )...



=> The drive is clean.


12/25/2014 7:11:50 PM > Drive D: - scan started (Diana Local Disk ~29 GB, NTFS HDD )...



=> The drive is clean.


12/25/2014 7:11:51 PM > Drive E: - scan started (Diana Local Disk ~53 GB, NTFS HDD )...



=> The drive is clean.




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2014.12.21.1 / Windows 7 <<<


12/25/2014 7:13:16 PM > Drive G: - scan started (WD Elements ~931 GB, NTFS HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2014.12.21.1 / Windows 7 <<<


12/25/2014 7:14:15 PM > Drive H: - scan started (Kingston ~7592 MB, FAT32 flash drive )...



=> The drive is clean.



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2014.12.21.1 / Windows 7 <<<


12/25/2014 7:14:46 PM > Drive I: - scan started (ADATA UFD ~7686 MB, FAT32 flash drive )...
 

 

=> The drive is clean.


MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2014.12.21.1 / Windows 7 <<<


12/25/2014 7:16:10 PM > Drive J: - scan started (no label ~3781 MB, FAT32 flash drive )...



=> The drive is clean.


As for SpywareHammer, it's still not working.
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users