Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stolen Email Passwords and various Yahoo Service Issues


  • This topic is locked This topic is locked
68 replies to this topic

#1 LittleGreenDots

LittleGreenDots

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 16 December 2014 - 01:30 PM

see post below


I want to add a few updates.  I did a virus scan this morning and while it didn't find anything, it took three times longer than normal.  I followed that with a MalwareBytes scan and it detected three items, all related to Vosteran, which I thought was completely off my computer.  Obviously not.  I haven't downloaded any new things.  Here is what MalwareBytes found the three items listed below.  I am doing a second scan but this time the scan is including the rootkit.
 
Last week I installed WOT add-on extensions to Chrome and IE.  I already had it installed with FireFox (my default.)  I see that two of the PUP items are related to Chrome, which was the browser with which I was having Vosteran problems.
 
I hope I didn't screw anything up running AV and Malwarebyte scans.  Just to be certain, I will run a second DDS scan and post it below.
 
Yesterday when I opened a browser, it went to YouTube on its own. 
 
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/17/2014
Scan Time: 7:06:42 AM
Logfile: MalwareBytes_Log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.17.01
Rootkit Database: v2014.12.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tooloose

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 377748
Time Elapsed: 26 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.Vosteran.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\oilkkkefbalmbfppgjmgjoefbclebkce, , [a540590a3c409a9c644591c128dbe41c],
PUP.Optional.Vosteran.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\oilkkkefbalmbfppgjmgjoefbclebkce, , [fee71d46710b0432d0d97bd7b64d629e],
PUP.Optional.Vosteran.A, HKU\S-1-5-21-2914923297-3307978212-3490003017-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\oilkkkefbalmbfppgjmgjoefbclebkce, , [5a8bed76d9a3b87e9a10f35f47bc9769],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Edited by hamluis, 19 December 2014 - 08:50 PM.


BC AdBot (Login to Remove)

 


m

#2 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 17 December 2014 - 08:47 AM

As instructed, I ran a DDS scan and am posting a new thread.

 

A few weeks ago I downloaded a browser hijacker Vosteran from sourceforge when I downloaded Filezilla.  That was taken care of here at Bleeping Computer.  The moderator who helped me told me to change my sensitive passwords and i immediately did so for online banking.  A few days later I was informed that a credit card was flagged as there was some suspicious activity reported.   I contacted the bank and filed a report and they cancelled the card.  The bank caught the activity before they were able to use the card.

 

A few days later I started having various Yahoo problems.  I have a few Yahoo email accounts.  Last week two of my email account passwords were compromised.  I reset the passwords.  Today, a third account was compromised.  And two days ago someone got into my Wordpress account and I changed that password as well.

 

As for my Yahoo issues (I use Firefox - Windows 7 OS) 3=4 times now Firefox crashed while I was writing email.  Yesterday I got an error msg after the crash, something about network issues.

 

I don't know if this has anything to do with anything but I got curious and checked Administrative Tools > Event Viewer > Windows Log > System and note HUNDREDS of the same item.  I posted one example of this in my initial "Am I Infected" post.

 

http://www.bleepingcomputer.com/forums/t/559911/crashes-with-yahoo-services-stolen-passwords/

 

One other thing I noticed...a few days ago I did a search on Yahoo and noticed that my WOT donuts were missing.  I checked the same search on Google and they were visible.  I came back to Yahoo and tried again and they were visible.  I tried this a few times and it seems that on the first attempt, something turned them off.  I reinstalled this Mozilla Add-On and that fixed the problem.  I just ran a MalwareBytes scan before I ran this DDS report and it found three items, two of which were related to Vosteran, my original infection.  They were embedded in Chrome extensions.

 

As instructed, here is the DDS report and I'll attach the other ZIP file.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496  BrowserJavaVersion: 11.25.2
Run by Tooloose at 8:25:03 on 2014-12-17
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4040.2659 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
c:\PROGRA~2\AVG\AVG2015\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
C:\windows\SysWOW64\nlssrv32.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files (x86)\Corel\Corel PDF Fusion\CorelCreatorClient.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\CorelCreatorMessages.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\USB Camera\VM331_STI.EXE
C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
C:\Program Files (x86)\AVG\AVG2015\avgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\SysWOW64\ctfmon.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\windows\system32\sppsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.yahoo.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENN&bmod=LENN
mWinlogon: Userinit = userinit.exe,
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll
TB: WOT: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
uRun: [AVG-Secure-Search-Update_1113a] C:\Users\Tooloose\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=ac7b2ea80ff347d39ff00d47e79a2c57-bd418e937950f494102e8a1c0aeb7c7356617da7 /CMPID=1113a
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [331BigDog] C:\Program Files (x86)\USB Camera\VM331_STI.EXE
mRun: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun: [YouCam Mirage] "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe"
mRun: [YouCam Tray] "C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe" /s
mRun: [VeriFaceManager] C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2015\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{123005F8-45D0-4A99-AE49-7E86D0698DE8} : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{67BBE457-CC09-4400-BA61-77E7D16A5F89} : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{67BBE457-CC09-4400-BA61-77E7D16A5F89}\0554544535 : DHCPNameServer = 10.128.128.128
TCP: Interfaces\{67BBE457-CC09-4400-BA61-77E7D16A5F89}\245616E60216E64602C45616660233 : DHCPNameServer = 10.0.0.1
TCP: Interfaces\{67BBE457-CC09-4400-BA61-77E7D16A5F89}\245616E6026202455616027457563747 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{67BBE457-CC09-4400-BA61-77E7D16A5F89}\348616A7A716E6F60234F6666656560264275656 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{67BBE457-CC09-4400-BA61-77E7D16A5F89}\74F6F676C6560235471627265736B637 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{67BBE457-CC09-4400-BA61-77E7D16A5F89}\A4846444 : DHCPNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll
x64-TB: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe
x64-Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
x64-Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [CorelCreatorClient] C:\Program Files (x86)\Corel\Corel PDF Fusion\CorelCreatorClient.exe
x64-Run: [IgfxTray] "C:\windows\System32\igfxtray.exe"
x64-Run: [HotKeysCmds] "C:\windows\System32\hkcmd.exe"
x64-Run: [Persistence] "C:\windows\System32\igfxpers.exe"
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Tooloose\AppData\Roaming\Mozilla\Firefox\Profiles\fw9lk4ud.default\
FF - prefs.js: browser.search.selectedEngine - Startpage (SSL)
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\windows\System32\drivers\avgidsha.sys [2014-6-18 190744]
R0 Avgloga;AVG Logging Driver;C:\windows\System32\drivers\avgloga.sys [2014-7-18 313624]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\System32\drivers\avgmfx64.sys [2014-10-5 124184]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\System32\drivers\avgrkx64.sys [2014-6-18 31512]
R0 fbfmon;fbfmon;C:\windows\System32\drivers\fbfmon.sys [2012-2-13 57952]
R0 LHDmgr;LHDmgr;C:\windows\System32\drivers\LhdX64.sys [2012-2-13 39008]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2014-3-12 55856]
R1 Avgdiska;AVG Disk Driver;C:\windows\System32\drivers\avgdiska.sys [2014-6-18 153368]
R1 AVGIDSDriver;AVGIDSDriver;C:\windows\System32\drivers\avgidsdrivera.sys [2014-10-29 263960]
R1 Avgldx64;AVG AVI Loader Driver;C:\windows\System32\drivers\avgldx64.sys [2014-8-28 243480]
R1 Avgtdia;AVG TDI Driver;C:\windows\System32\drivers\avgtdia.sys [2014-10-10 274200]
R1 BPntDrv;BPntDrv;C:\windows\System32\drivers\BPntDrv.sys [2012-2-13 13408]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [2014-11-9 3488784]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [2014-11-9 298080]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-2-13 13336]
R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\nlssrv32.exe [2014-5-6 70768]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2013-12-6 662232]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-2-13 2656280]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\System32\drivers\AcpiVpc.sys [2010-10-25 29792]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\windows\System32\drivers\clwvd.sys [2011-1-28 31088]
R3 CorelCreatorMessages;CorelCreatorMessages;C:\windows\System32\CorelCreatorMessages.exe [2011-8-24 105984]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2012-2-13 317440]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2012-2-13 76912]
R3 vm331avs;Digital Camera 1;C:\windows\System32\drivers\vm331avs.sys [2012-2-13 250752]
R3 vmuvcflt;Vimicro USB Camera Filter;C:\windows\System32\drivers\vmuvcflt.sys [2012-2-13 8320]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\windows\System32\ieetwcollector.exe [2014-12-10 114688]
S3 PSI;PSI;C:\windows\System32\drivers\psi_mf_amd64.sys [2013-12-6 18456]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2013-5-30 19456]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\rtsuvstor.sys [2012-2-13 299520]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2013-12-6 1229528]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2014-4-23 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2013-5-30 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-3-25 1255736]
S3 wsvd;wsvd;C:\windows\System32\drivers\wsvd.sys [2009-7-21 121840]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe --> c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-12-11 00:54:32    24576    ----a-w-    C:\windows\System32\mfpmp.exe
2014-12-11 00:54:32    2048    ----a-w-    C:\windows\SysWow64\mferror.dll
2014-12-11 00:54:32    2048    ----a-w-    C:\windows\System32\mferror.dll
2014-12-11 00:54:31    55808    ----a-w-    C:\windows\System32\rrinstaller.exe
2014-12-11 00:54:31    50176    ----a-w-    C:\windows\SysWow64\rrinstaller.exe
2014-12-11 00:54:31    4121600    ----a-w-    C:\windows\System32\mf.dll
2014-12-11 00:54:31    3209728    ----a-w-    C:\windows\SysWow64\mf.dll
2014-12-11 00:54:31    23040    ----a-w-    C:\windows\SysWow64\mfpmp.exe
2014-12-11 00:54:31    206848    ----a-w-    C:\windows\System32\mfps.dll
2014-12-11 00:54:31    103424    ----a-w-    C:\windows\SysWow64\mfps.dll
2014-12-10 12:45:40    --------    d-----w-    C:\Program Files\WOT
2014-12-10 12:45:40    --------    d-----w-    C:\Program Files (x86)\WOT
2014-12-02 02:02:28    --------    d-----w-    C:\Users\Tooloose\AppData\Roaming\OpenOffice
2014-12-02 02:00:49    --------    d-----w-    C:\Program Files (x86)\OpenOffice 4
2014-11-30 22:13:52    159744    ----a-w-    C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
2014-11-30 22:13:52    159744    ----a-w-    C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
2014-11-30 22:13:52    159744    ----a-w-    C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
2014-11-30 22:13:52    159744    ----a-w-    C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
2014-11-30 22:13:52    159744    ----a-w-    C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
2014-11-30 22:03:45    --------    d-----w-    C:\Users\Tooloose\AppData\Local\Secunia PSI
2014-11-30 22:03:38    --------    d-----w-    C:\Program Files (x86)\Secunia
2014-11-29 13:51:16    111016    ----a-w-    C:\windows\System32\WindowsAccessBridge-64.dll
2014-11-27 23:22:37    --------    d-sh--w-    C:\Users\Tooloose\AppData\Local\EmieBrowserModeList
2014-11-27 21:13:13    --------    d-----w-    C:\ProgramData\Sophos
2014-11-27 20:58:26    --------    d-----w-    C:\windows\ERUNT
2014-11-19 19:31:56    728064    ----a-w-    C:\windows\System32\kerberos.dll
2014-11-19 19:31:56    550912    ----a-w-    C:\windows\SysWow64\kerberos.dll
2014-11-19 19:31:56    241152    ----a-w-    C:\windows\System32\pku2u.dll
2014-11-19 19:31:56    186880    ----a-w-    C:\windows\SysWow64\pku2u.dll
.
==================== Find3M  ====================
.
2014-12-17 12:54:09    129752    ----a-w-    C:\windows\System32\drivers\MBAMSwissArmy.sys
2014-12-13 09:57:47    71344    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-13 09:57:47    701616    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2014-11-29 13:49:38    98216    ----a-w-    C:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-11-22 03:06:23    2724864    ----a-w-    C:\windows\System32\mshtml.tlb
2014-11-22 03:06:11    4096    ----a-w-    C:\windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39    66560    ----a-w-    C:\windows\System32\iesetup.dll
2014-11-22 02:50:10    580096    ----a-w-    C:\windows\System32\vbscript.dll
2014-11-22 02:49:54    48640    ----a-w-    C:\windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20    88064    ----a-w-    C:\windows\System32\MshtmlDac.dll
2014-11-22 02:35:43    144384    ----a-w-    C:\windows\System32\ieUnatt.exe
2014-11-22 02:35:29    114688    ----a-w-    C:\windows\System32\ieetwcollector.exe
2014-11-22 02:34:51    814080    ----a-w-    C:\windows\System32\jscript9diag.dll
2014-11-22 02:34:07    6039552    ----a-w-    C:\windows\System32\jscript9.dll
2014-11-22 02:26:31    968704    ----a-w-    C:\windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44    2724864    ----a-w-    C:\windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16    77824    ----a-w-    C:\windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43    501248    ----a-w-    C:\windows\SysWow64\vbscript.dll
2014-11-22 02:07:17    62464    ----a-w-    C:\windows\SysWow64\iesetup.dll
2014-11-22 02:06:32    47616    ----a-w-    C:\windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02    64000    ----a-w-    C:\windows\SysWow64\MshtmlDac.dll
2014-11-22 01:55:16    115712    ----a-w-    C:\windows\SysWow64\ieUnatt.exe
2014-11-22 01:54:30    620032    ----a-w-    C:\windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10    1359360    ----a-w-    C:\windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58    2125312    ----a-w-    C:\windows\System32\inetcpl.cpl
2014-11-22 01:40:04    60416    ----a-w-    C:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26    4299264    ----a-w-    C:\windows\SysWow64\jscript9.dll
2014-11-22 01:28:21    2358272    ----a-w-    C:\windows\System32\wininet.dll
2014-11-22 01:22:49    2052096    ----a-w-    C:\windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57    1155072    ----a-w-    C:\windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20    1888256    ----a-w-    C:\windows\SysWow64\wininet.dll
2014-11-21 11:14:22    63704    ----a-w-    C:\windows\System32\drivers\mwac.sys
2014-11-21 11:14:12    93400    ----a-w-    C:\windows\System32\drivers\mbamchameleon.sys
2014-11-21 11:14:08    25816    ----a-w-    C:\windows\System32\drivers\mbam.sys
2014-11-11 03:09:06    1424384    ----a-w-    C:\windows\System32\WindowsCodecs.dll
2014-11-11 02:44:45    1230336    ----a-w-    C:\windows\SysWow64\WindowsCodecs.dll
2014-11-11 01:46:26    119296    ----a-w-    C:\windows\System32\drivers\tdx.sys
2014-11-08 03:16:08    2048    ----a-w-    C:\windows\System32\tzres.dll
2014-11-08 02:45:09    2048    ----a-w-    C:\windows\SysWow64\tzres.dll
2014-10-30 02:35:16    263960    ----a-w-    C:\windows\System32\drivers\avgidsdrivera.sys
2014-10-30 02:03:43    165888    ----a-w-    C:\windows\System32\charmap.exe
2014-10-30 01:45:43    155136    ----a-w-    C:\windows\SysWow64\charmap.exe
2014-10-25 01:57:59    77824    ----a-w-    C:\windows\System32\packager.dll
2014-10-25 01:32:37    67584    ----a-w-    C:\windows\SysWow64\packager.dll
2014-10-18 02:05:23    861696    ----a-w-    C:\windows\System32\oleaut32.dll
2014-10-18 01:33:18    571904    ----a-w-    C:\windows\SysWow64\oleaut32.dll
2014-10-14 02:16:37    155064    ----a-w-    C:\windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06    683520    ----a-w-    C:\windows\System32\termsrv.dll
2014-10-14 02:13:00    3241984    ----a-w-    C:\windows\System32\msi.dll
2014-10-14 02:12:57    1460736    ----a-w-    C:\windows\System32\lsasrv.dll
2014-10-14 02:09:31    146432    ----a-w-    C:\windows\System32\msaudite.dll
2014-10-14 02:07:31    681984    ----a-w-    C:\windows\System32\adtschema.dll
2014-10-14 01:50:47    22016    ----a-w-    C:\windows\SysWow64\secur32.dll
2014-10-14 01:50:41    2363904    ----a-w-    C:\windows\SysWow64\msi.dll
2014-10-14 01:49:38    96768    ----a-w-    C:\windows\SysWow64\sspicli.dll
2014-10-14 01:47:30    146432    ----a-w-    C:\windows\SysWow64\msaudite.dll
2014-10-14 01:46:02    681984    ----a-w-    C:\windows\SysWow64\adtschema.dll
2014-10-10 20:14:32    274200    ----a-w-    C:\windows\System32\drivers\avgtdia.sys
2014-10-10 00:57:42    3198976    ----a-w-    C:\windows\System32\win32k.sys
2014-10-06 02:41:40    124184    ----a-w-    C:\windows\System32\drivers\avgmfx64.sys
2014-10-03 02:12:23    310272    ----a-w-    C:\windows\System32\WsmWmiPl.dll
2014-10-03 02:12:23    2020352    ----a-w-    C:\windows\System32\WsmSvc.dll
2014-10-03 02:12:22    346624    ----a-w-    C:\windows\System32\WSManMigrationPlugin.dll
2014-10-03 02:12:22    181248    ----a-w-    C:\windows\System32\WsmAuto.dll
2014-10-03 02:12:00    500224    ----a-w-    C:\windows\System32\AUDIOKSE.dll
2014-10-03 02:11:54    284672    ----a-w-    C:\windows\System32\EncDump.dll
2014-10-03 02:11:51    680960    ----a-w-    C:\windows\System32\audiosrv.dll
2014-10-03 02:11:51    440832    ----a-w-    C:\windows\System32\AudioEng.dll
2014-10-03 02:11:51    296448    ----a-w-    C:\windows\System32\AudioSes.dll
2014-10-03 02:11:49    266240    ----a-w-    C:\windows\System32\WSManHTTPConfig.exe
2014-10-03 01:45:03    248832    ----a-w-    C:\windows\SysWow64\WSManMigrationPlugin.dll
2014-10-03 01:45:03    214016    ----a-w-    C:\windows\SysWow64\WsmWmiPl.dll
2014-10-03 01:45:03    145920    ----a-w-    C:\windows\SysWow64\WsmAuto.dll
2014-10-03 01:45:03    1177088    ----a-w-    C:\windows\SysWow64\WsmSvc.dll
2014-10-03 01:44:42    442880    ----a-w-    C:\windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44:26    374784    ----a-w-    C:\windows\SysWow64\AudioEng.dll
2014-10-03 01:44:26    195584    ----a-w-    C:\windows\SysWow64\AudioSes.dll
2014-10-03 01:44:25    198656    ----a-w-    C:\windows\SysWow64\WSManHTTPConfig.exe
2014-10-02 19:23:20    94208    ----a-w-    C:\windows\SysWow64\QuickTimeVR.qtx
2014-10-02 19:23:20    69632    ----a-w-    C:\windows\SysWow64\QuickTime.qts
2014-09-25 02:08:38    371712    ----a-w-    C:\windows\System32\qdvd.dll
2014-09-25 01:40:50    519680    ----a-w-    C:\windows\SysWow64\qdvd.dll
2014-09-19 09:42:52    210944    ----a-w-    C:\windows\System32\wdigest.dll
2014-09-19 09:42:51    86528    ----a-w-    C:\windows\System32\TSpkg.dll
2014-09-19 09:42:49    342016    ----a-w-    C:\windows\System32\schannel.dll
2014-09-19 09:42:47    314880    ----a-w-    C:\windows\System32\msv1_0.dll
2014-09-19 09:42:47    309760    ----a-w-    C:\windows\System32\ncrypt.dll
2014-09-19 09:42:41    22016    ----a-w-    C:\windows\System32\credssp.dll
2014-09-19 09:23:55    172032    ----a-w-    C:\windows\SysWow64\wdigest.dll
2014-09-19 09:23:52    65536    ----a-w-    C:\windows\SysWow64\TSpkg.dll
2014-09-19 09:23:49    248832    ----a-w-    C:\windows\SysWow64\schannel.dll
2014-09-19 09:23:46    221184    ----a-w-    C:\windows\SysWow64\ncrypt.dll
2014-09-19 09:23:45    259584    ----a-w-    C:\windows\SysWow64\msv1_0.dll
2014-09-19 09:23:36    17408    ----a-w-    C:\windows\SysWow64\credssp.dll
.
============= FINISH:  8:27:12.23 ===============
 

 



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 21 December 2014 - 09:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

p.s. If still getting redirected execute this.

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

#4 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 25 December 2014 - 08:35 AM

I was gone a few days.  I will start these procedures today.  As a note, I've been seeing msg boxes pop up and disappear before I have a chance to read them.

 

Thanks.  I just want you to know I'm on it now.



#5 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 25 December 2014 - 03:56 PM

I noticed some odd behavior with my computer today, like as I mentioned, msg boxes popped up a few times and disappeared before I had a chance to read them and just now it has become completely unstable.  When I opened a file which had your instructions, most of the text was garbled.  And when I clicked on an internet link, instead of opening the page, it opened a TAB and I couldn't get a page open. 

 

Can I download those programs you told me to run onto a thumb drive and run them from it in safe mode?  What do I do? 

 

==========================================

 

UPDATE:

 

Hi.  My system is totally whacky now.  I had to spend the day backing up data.  As I mentioned, this morning while looking at Administrative Tools > DataView > Windows Log > Event (as I recall) the program screen froze and I closed and reopened it (the EventView program.)  While I was poking around, two msg boxes popped up asking me something or other but then disappeared before I could read them.  

I did a scan on my computer before reading your post and Malware Bytes found two PUPs, both related to that malware I picked up from SourceForge, Vosteran hijack.  I haven't had any problems with it but I noticed that it won't show up on a scan and then a scan or two later, Malwarebytes finds two.  One was linked to Chrome and the other to some WOW file.  I don't use Chrome but that is the browser that was affected by Vosteran.  

As I said, I was backing up files all afternoon.  Just as I finished, Windows started freaking out.  It started when I opened Firefox and clicked on an image and instead of opening the image, it opened a new tab.  I was unable to open the image at all.  Then I went back into Administrative tools to see if there were any error msgs and when I clicked on a listing, it stuck and opened two or three at a time.  I don't know if this is important but I did find one in the Windows System log that read:  "Event 133.  Device/Device/CdRom() is locked for exclusive use."  When I looked at your post, I was curious was Farbar was and found some information that it is used to randsom hard drive problems.  Do you think that is what is going on here?

Anyway, I couldn't even search a term online so I shut down and won't touch the computer until I hear from you.

I do NOT have recovery disks.  It's a Lenovo laptop and I did register it with Lenovo.  Perhaps for a fee they will send me a disk?

I need to know if my backup DVDs and flash drives are safe?  How do I make sure I didn't load any malware on theM?  I checked the DVDs by scanning them with MalwareBytes and it found nothing.  (I have auto-play turned off.)  I have three falsh drives with back-up data.  How do I check them?  I don't want to reinfect myself when I finally get the computer running again.  I have a lot of important files that I need.

Please advise.

PS - You might want to tell the technician who helped me the first time that when s/he told me my computer was clean...it wasn't.


Edited by LittleGreenDots, 25 December 2014 - 07:24 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 26 December 2014 - 07:44 AM

Can I download those programs you told me to run onto a thumb drive and run them from it in safe mode? What do I do?


Yes do that and copy the files to the Desktop of the problem computer and run them from there.

Include this additional tool.

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#7 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 26 December 2014 - 12:11 PM

I need to go out and buy a new thumb drive because important data is stored on the ones I own. 

 

I need to know about how I can check to make sure this infection didn't leave me any surprises on the thumb drives and DVDs I made yesterday.  I have important material on them that I need to access ASAP.

 

Thanks.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 26 December 2014 - 01:41 PM

Can you not scan them with the AVG AntiVirus

#9 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 27 December 2014 - 10:58 PM

Windows is completely unstable.  When I click on an internet link, I can only access the first level.  When I click on a link on that page, it opens up a TAB and I can' use any links on the tab.  When I select files from a list, it selects more than the one that I click on. Its a real mess.  Now I'm having some issues with the temp computer I'm now using.  Is there any possibility that who or whatever locked onto my first computer somehow gained access to the network I'm on?  I have Comcast Wi-Fi.  I'm having strange issues, with disappearing icons from my tray that I can't get back, yesterday when I powered down, I got a msg saying a program was still running and did I want to force it to shut down (but I couldn't hit the cancel button fast enough to investigate) and I'm having trouble activating a trial version of BitDefenders AV.  It says that I am protected but just now on a boot up I got a msg box about allowing it to activate.  That's the first time that happened.  I'm really screwed cuz I need to get some work done and I need to buy something online but am afraid to use a credit card or check my online banking.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 28 December 2014 - 08:09 AM

Have you tried to download the --RogueKiller-- and run the tool?

#11 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 28 December 2014 - 05:36 PM

No, I haven't.  I've been having a lot of trouble securing the computer I'm now using.  I think my wi-fi was compromised.  I contacted Comcast and they told me to reset my network password and download their Nortons.  I'm not a fan of Nortons but I'm not having any luck with BitDefender.  I downloaded the free version, tried to register it and never did get a confirmation and I was unable to scan my computer.  I have to have a working and trusted computer as I have some critical work to complete.  I'll have to put this infected computer on hold for a few days.  I will try RogueKill and tell you what happens, if I can even get it running.  I'm posting a LONG list of stopped services I found on Services via MSCONFIG in Windows 7.  Not being a techie, some of them look like they should be running, so hopefully someone who knows this will tell me if there are any critical services I need to turn on.  Also, I'm havinhaing quite a time of some icons not showing in my tray (Network and Volume.)  This morning the network was showing that Windows Blue Busy spinner and it was continuous.  It stopped after I changed the password and installed Nortons.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 29 December 2014 - 08:22 AM

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Click Next at the Welcome Screen, Click Next on Step 1 Screen
  • Click Next on Step 2 Screen, Click Do it on Step 3 Screen, After is has completed click Next
  • On Step 4 Under System Restore Click Create, Then under registry back-up Click Backup When you have completed this click Next
  • Click on Repairs
  • Click Open repairs - Icon in the bottom right corner
  • Click the Unselect All button then select just the item(s) below

  • 01 - Repair Registry Permissions
    02 - Reset File Permissions (2)
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    13 - Repair Winsock & DNS Cache
    14 - Removed Temp Files
    15 - Repair Proxy Settings
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    24 - Repair Windows Safe Mode
    25 - Repair Print Spooler
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    How is it now?


#13 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 30 December 2014 - 03:55 AM

I will have to do this over the weekend.  Please be patient.  I am doing primary care for an elderly person and don't have so much time.  I do need to get my computer up and running again.  And now I'm having strange behavior on my next computer, even though we reset my network password. 

 

Unless I am being overy suspicious, I'm guessing that whoever hacked my first computer got into my network and planted a backdoor on this second computer?  I just found a url link on my browser bar that I did not add,, and I was able to track it down to a page with PHP code for Flickr.  It's from this page:

 

http://svn.symfony-project.com

 

Here is the link location from that suspicious icon:

 

https://www.flickr.com/logout.gne?magic_cookie=4f7af1b300d0cf4a6346c3a95bd0c119787c373cfb66693f7de4f9adc2da008a

 

 

I see code that looks like it acquires user names.  I also saw words like "stack overflow" in this code and am guessing that someone is into this computer.  I posted a thread about the purpose of this code here: 

 

http://www.bleepingcomputer.com/forums/t/561462/what-does-this-php-plugin-do/

 

To summarize my situation:

 

Computer #1 was hacked.  Windows is unstable.  It is turned off and I haven't had time to run the programs BC listed.  I will do so because I need the data on that computer.  I did manage to copy it before it went unstable, on DVD and a few thumb drives, but I do not know if I copied malicious crap along with my files.  The data is very important to me and my work.  I don't know how to proceed, checking them, especially since the computer I am now using might be infected as well.  I have not run any of the programs suggested yet.  When I start in, where do I start?  Various programs mentioned I run include some ad cleaners, RogueKill, and a Windows repair. (I need to find ot first if I can even do anything on that computer as Windows was very unstable when I turned it off. Perhaps that is my first step...to see if I can run programs.  Should I try starting it up in Safe Mode?  Would that make a difference?)

 

I contacted Comcast on Sunday and they reset my network password and I installed their version of Nortons and have it running now.

 

Computer #2 is now showing signs of suspicious behavior.  I'm guessing (not being a technie at all) that someone hacked into my wifi and no matter what I do, can gain access to any computer I put online...is that true?  If there is a backdoor on this computer, can it be detected and closed?

 

I do have recovery disks for computer #2 but not computer #1.

 

Time is tight for me and I will begin running all the programs BP has indicated I run.

 

Thank you for your patience.


Edited by LittleGreenDots, 30 December 2014 - 05:02 AM.


#14 LittleGreenDots

LittleGreenDots
  • Topic Starter

  • Members
  • 401 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Metro Detroit Area
  • Local time:01:02 AM

Posted 30 December 2014 - 05:21 AM

I realize my situation is getting confusing here since I have two machines involved.  I hope this summary clears things up.

 

Computer #1 is what this thread is about.  The programs you have suggested I run are:

 

AdwCleaner
Farbar Recovery
RogueKiller
Tweaking Windows Repair

 

After Windows became unstable, and before I ran any of these, I turned it off and have not booted it since.  Which program should I run first when I try booting up? 

 

You may not know that I am possibly having problems with a second computer.  I got it online when computer #1 went south.  I was looking at the services and noticed that quite a few were disabled.  I don't fuss with these things but it seemed like some of them might be important programs to have running.  So I posted the list of them in a new thread here:

 

http://www.bleepingcomputer.com/forums/t/561294/ms-services-stopped-are-some-critical/

 

Someone else picked up on that and suggested I run MalwareBytes (I did and it was clean) and Eset (haven't done yet due to time constraints.)  And since posting that I noticed a new icon on my Firefox browser bookmark bar.  That was noted here:

 

http://www.bleepingcomputer.com/forums/t/561462/what-does-this-php-plugin-do/

 

I hope this clarifies things.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 AM

Posted 30 December 2014 - 11:05 AM

Will deal with this topic as computer one only.

Run all the tools and fixes that I previously suggested.

Post all the logs you can.

Use two or more post if you need too.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users